Merge pull request #2360 from mtrmac/k8s.gcr.io-6

[release-1.6] Refer to registry.k8s.io instead of k8s.gcr.io

.cirrus.yml

@@ -0,0 +1,189 @@
+---
+
+# Main collection of env. vars to set for all tasks and scripts.
+env:
+    ####
+    #### Global variables used for all tasks
+    ####
+    # Name of the ultimate destination branch for this CI run, PR or post-merge.
+    DEST_BRANCH: "main"
+    # Overrides default location (/tmp/cirrus) for repo clone
+    GOPATH: &gopath "/var/tmp/go"
+    GOBIN: "${GOPATH}/bin"
+    GOCACHE: "${GOPATH}/cache"
+    GOSRC: &gosrc "/var/tmp/go/src/github.com/containers/skopeo"
+    # Required for consistency with containers/image CI
+    SKOPEO_PATH: *gosrc
+    CIRRUS_WORKING_DIR: *gosrc
+    # The default is 'sh' if unspecified
+    CIRRUS_SHELL: "/bin/bash"
+    # Save a little typing (path relative to $CIRRUS_WORKING_DIR)
+    SCRIPT_BASE: "./contrib/cirrus"
+
+    ####
+    #### Cache-image names to test with (double-quotes around names are critical)
+    ####
+    FEDORA_NAME: "fedora-36"
+    PRIOR_FEDORA_NAME: "fedora-35"
+    UBUNTU_NAME: "ubuntu-2110"
+
+    # Google-cloud VM Images
+    IMAGE_SUFFIX: "c4955393725038592"
+    FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
+    PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
+    UBUNTU_CACHE_IMAGE_NAME: "ubuntu-${IMAGE_SUFFIX}"
+
+    # Container FQIN's
+    FEDORA_CONTAINER_FQIN: "quay.io/libpod/fedora_podman:${IMAGE_SUFFIX}"
+    PRIOR_FEDORA_CONTAINER_FQIN: "quay.io/libpod/prior-fedora_podman:${IMAGE_SUFFIX}"
+    UBUNTU_CONTAINER_FQIN: "quay.io/libpod/ubuntu_podman:${IMAGE_SUFFIX}"
+
+    # Built along with the standard PR-based workflow in c/automation_images
+    SKOPEO_CIDEV_CONTAINER_FQIN: "quay.io/libpod/skopeo_cidev:${IMAGE_SUFFIX}"
+
+
+# Default timeout for each task
+timeout_in: 45m
+
+
+gcp_credentials: ENCRYPTED[52d9e807b531b37ab14e958cb5a72499460663f04c8d73e22ad608c027a31118420f1c80f0be0882fbdf96f49d8f9ac0]
+
+
+validate_task:
+    # The git-validation tool doesn't work well on branch or tag push,
+    # under Cirrus-CI, due to challenges obtaining the starting commit ID.
+    # Only do validation for PRs.
+    only_if: $CIRRUS_PR != ''
+    container:
+        image: '${SKOPEO_CIDEV_CONTAINER_FQIN}'
+        cpu: 4
+        memory: 8
+    script: |
+        make validate-local
+        make vendor && hack/tree_status.sh
+
+doccheck_task:
+    only_if: $CIRRUS_PR != ''
+    depends_on:
+      - validate
+    container:
+        image: "${FEDORA_CONTAINER_FQIN}"
+        cpu: 4
+        memory: 8
+    env:
+        BUILDTAGS: &withopengpg 'btrfs_noversion libdm_no_deferred_remove containers_image_openpgp'
+    script: |
+      # TODO: Can't use 'runner.sh setup' inside container.  However,
+      # removing the pre-installed package is the only necessary step
+      # at the time of this comment.
+      dnf erase -y skopeo  # Guarantee non-interference
+      "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" build
+      "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" doccheck
+
+
+cross_task:
+    alias: cross
+    only_if: &not_docs $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
+    depends_on:
+        - validate
+    gce_instance:
+        image_project: libpod-218412
+        zone: "us-central1-f"
+        cpu: 2
+        memory: "4Gb"
+        # Required to be 200gig, do not modify - has i/o performance impact
+        # according to gcloud CLI tool warning messages.
+        disk: 200
+        image_name: ${FEDORA_CACHE_IMAGE_NAME}
+    env:
+        BUILDTAGS: *withopengpg
+    setup_script: >-
+        "${GOSRC}/${SCRIPT_BASE}/runner.sh" setup
+    cross_script: >-
+        "${GOSRC}/${SCRIPT_BASE}/runner.sh" cross
+
+
+#####
+##### NOTE: This task is subtantially duplicated in the containers/image
+##### repository's `.cirrus.yml`.  Changes made here should be fully merged
+##### prior to being manually duplicated and maintained in containers/image.
+#####
+test_skopeo_task:
+    alias: test_skopeo
+    only_if: *not_docs
+    depends_on:
+        - validate
+    gce_instance:
+        image_project: libpod-218412
+        zone: "us-central1-f"
+        cpu: 2
+        memory: "4Gb"
+        # Required to be 200gig, do not modify - has i/o performance impact
+        # according to gcloud CLI tool warning messages.
+        disk: 200
+        image_name: ${FEDORA_CACHE_IMAGE_NAME}
+    matrix:
+        - name: "Skopeo Test"  # N/B: Name ref. by hack/get_fqin.sh
+          env:
+              BUILDTAGS: 'btrfs_noversion libdm_no_deferred_remove'
+        - name: "Skopeo Test w/ opengpg"
+          env:
+              BUILDTAGS: *withopengpg
+    setup_script: >-
+        "${GOSRC}/${SCRIPT_BASE}/runner.sh" setup
+    vendor_script: >-
+        "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" vendor
+    build_script: >-
+        "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" build
+    unit_script: >-
+        "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" unit
+    integration_script: >-
+        "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" integration
+    system_script: >
+        "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" system
+
+
+# This task is critical.  It updates the "last-used by" timestamp stored
+# in metadata for all VM images.  This mechanism functions in tandem with
+# an out-of-band pruning operation to remove disused VM images.
+meta_task:
+    name: "VM img. keepalive"
+    alias: meta
+    container: &smallcontainer
+        cpu: 2
+        memory: 2
+        image: quay.io/libpod/imgts:latest
+    env:
+        # Space-separated list of images used by this repository state
+        IMGNAMES: >-
+            ${FEDORA_CACHE_IMAGE_NAME}
+            ${PRIOR_FEDORA_CACHE_IMAGE_NAME}
+            ${UBUNTU_CACHE_IMAGE_NAME}
+        BUILDID: "${CIRRUS_BUILD_ID}"
+        REPOREF: "${CIRRUS_REPO_NAME}"
+        GCPJSON: ENCRYPTED[6867b5a83e960e7c159a98fe6c8360064567a071c6f4b5e7d532283ecd870aa65c94ccd74bdaa9bf7aadac9d42e20a67]
+        GCPNAME: ENCRYPTED[1cf558ae125e3c39ec401e443ad76452b25d790c45eb73d77c83eb059a0f7fd5085ef7e2f7e410b04ea6e83b0aab2eb1]
+        GCPPROJECT: libpod-218412
+    clone_script: &noop mkdir -p "$CIRRUS_WORKING_DIR"
+    script: /usr/local/bin/entrypoint.sh
+
+
+# Status aggregator for all tests.  This task simply ensures a defined
+# set of tasks all passed, and allows confirming that based on the status
+# of this task.
+success_task:
+    name: "Total Success"
+    alias: success
+    # N/B: ALL tasks must be listed here, minus their '_task' suffix.
+    depends_on:
+        - validate
+        - doccheck
+        - cross
+        - test_skopeo
+        - meta
+    container: *smallcontainer
+    env:
+        CTR_FQIN: ${FEDORA_CONTAINER_FQIN}
+        TEST_ENVIRON: container
+    clone_script: *noop
+    script: /bin/true

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+- package-ecosystem: gomod
+  directory: "/"
+  schedule:
+    interval: daily
+    time: "10:00"
+    timezone: Europe/Berlin
+  open-pull-requests-limit: 10
+

.github/workflows/check_cirrus_cron.yml

@@ -0,0 +1,102 @@
+---
+
+# See also:
+# https://github.com/containers/podman/blob/main/.github/workflows/check_cirrus_cron.yml
+
+# Format Ref: https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions
+
+# Required to un-FUBAR default ${{github.workflow}} value
+name: check_cirrus_cron
+
+on:
+    # Note: This only applies to the default branch.
+    schedule:
+        # N/B: This should correspond to a period slightly after
+        # the last job finishes running.  See job defs. at:
+        # https://cirrus-ci.com/settings/repository/6706677464432640
+        - cron:  '59 23 * * 1-5'
+    # Debug: Allow triggering job manually in github-actions WebUI
+    workflow_dispatch: {}
+
+env:
+    # Debug-mode can reveal secrets, only enable by a secret value.
+    # Ref: https://help.github.com/en/actions/configuring-and-managing-workflows/managing-a-workflow-run#enabling-step-debug-logging
+    ACTIONS_STEP_DEBUG: '${{ secrets.ACTIONS_STEP_DEBUG }}'
+    # CSV listing of e-mail addresses for delivery failure or error notices
+    RCPTCSV: rh.container.bot@gmail.com,podman-monitor@lists.podman.io
+    # Filename for table of cron-name to build-id data
+    # (must be in $GITHUB_WORKSPACE/artifacts/)
+    NAME_ID_FILEPATH: './artifacts/name_id.txt'
+
+jobs:
+    cron_failures:
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@v2
+              with:
+                  persist-credentials: false
+
+            # Avoid duplicating cron_failures.sh in skopeo repo.
+            - uses: actions/checkout@v2
+              with:
+                  repository: containers/podman
+                  path: '_podman'
+                  persist-credentials: false
+
+            - name: Get failed cron names and Build IDs
+              id: cron
+              run: './_podman/.github/actions/${{ github.workflow }}/${{ github.job }}.sh'
+
+            - if: steps.cron.outputs.failures > 0
+              shell: bash
+              # Must be inline, since context expressions are used.
+              # Ref: https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions
+              run: |
+                set -eo pipefail
+                (
+                echo "Detected one or more Cirrus-CI cron-triggered jobs have failed recently:"
+                echo ""
+
+                while read -r NAME BID; do
+                    echo "Cron build '$NAME' Failed: https://cirrus-ci.com/build/$BID"
+                done < "$NAME_ID_FILEPATH"
+
+                echo ""
+                echo "# Source: ${{ github.workflow }} workflow on ${{ github.repository }}."
+                # Separate content from sendgrid.com automatic footer.
+                echo ""
+                echo ""
+                ) > ./artifacts/email_body.txt
+
+            - if: steps.cron.outputs.failures > 0
+              name: Send failure notification e-mail
+              # Ref: https://github.com/dawidd6/action-send-mail
+              uses: dawidd6/action-send-mail@v2.2.2
+              with:
+                server_address: ${{secrets.ACTION_MAIL_SERVER}}
+                server_port: 465
+                username: ${{secrets.ACTION_MAIL_USERNAME}}
+                password: ${{secrets.ACTION_MAIL_PASSWORD}}
+                subject: Cirrus-CI cron build failures on ${{github.repository}}
+                to: ${{env.RCPTCSV}}
+                from: ${{secrets.ACTION_MAIL_SENDER}}
+                body: file://./artifacts/email_body.txt
+
+            - if: always()
+              uses: actions/upload-artifact@v2
+              with:
+                  name: ${{ github.job }}_artifacts
+                  path: artifacts/*
+
+            - if: failure()
+              name: Send error notification e-mail
+              uses: dawidd6/action-send-mail@v2.2.2
+              with:
+                server_address: ${{secrets.ACTION_MAIL_SERVER}}
+                server_port: 465
+                username: ${{secrets.ACTION_MAIL_USERNAME}}
+                password: ${{secrets.ACTION_MAIL_PASSWORD}}
+                subject: Github workflow error on ${{github.repository}}
+                to: ${{env.RCPTCSV}}
+                from: ${{secrets.ACTION_MAIL_SENDER}}
+                body: "Job failed: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}"

.github/workflows/multi-arch-build.yaml

@@ -0,0 +1,209 @@
+---
+
+# Please see contrib/<reponame>image/README.md for details on the intentions
+# of this workflow.
+#
+# BIG FAT WARNING:  This workflow is duplicated across containers/skopeo,
+#                   containers/buildah, and containers/podman.  ANY AND
+#                   ALL CHANGES MADE HERE MUST BE MANUALLY DUPLICATED
+#                   TO THE OTHER REPOS.
+
+name: build multi-arch images
+
+on:
+  # Upstream tends to be very active, with many merges per day.
+  # Only run this daily via cron schedule, or manually, not by branch push.
+  schedule:
+    - cron:  '0 8 * * *'
+  # allows to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+jobs:
+  multi:
+    name: multi-arch image build
+    env:
+      REPONAME: skopeo  # No easy way to parse this out of $GITHUB_REPOSITORY
+      # Server/namespace value used to format FQIN
+      REPONAME_QUAY_REGISTRY: quay.io/skopeo
+      CONTAINERS_QUAY_REGISTRY: quay.io/containers
+      # list of architectures for build
+      PLATFORMS: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64
+      # Command to execute in container to obtain project version number
+      VERSION_CMD: "--version"  # skopeo is the entrypoint
+
+    # build several images (upstream, testing, stable) in parallel
+    strategy:
+      # By default, failure of one matrix item cancels all others
+      fail-fast: false
+      matrix:
+        # Builds are located under contrib/<reponame>image/<source> directory
+        source:
+          - upstream
+          - testing
+          - stable
+    runs-on: ubuntu-latest
+    # internal registry caches build for inspection before push
+    services:
+      registry:
+        image: quay.io/libpod/registry:2
+        ports:
+          - 5000:5000
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+        with:
+          driver-opts: network=host
+          install: true
+
+      - name: Build and locally push image
+        uses: docker/build-push-action@v2
+        with:
+          context: contrib/${{ env.REPONAME }}image/${{ matrix.source }}
+          file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile
+          platforms: ${{ env.PLATFORMS }}
+          push: true
+          tags: localhost:5000/${{ env.REPONAME }}/${{ matrix.source }}
+
+      # Simple verification that stable images work, and
+      # also grab version number use in forming the FQIN.
+      - name: amd64 container sniff test
+        if: matrix.source == 'stable'
+        id: sniff_test
+        run: |
+          podman pull --tls-verify=false \
+                            localhost:5000/$REPONAME/${{ matrix.source }}
+          VERSION_OUTPUT=$(podman run \
+                           localhost:5000/$REPONAME/${{ matrix.source }} \
+                           $VERSION_CMD)
+          echo "$VERSION_OUTPUT"
+          VERSION=$(awk -r -e "/^${REPONAME} version /"'{print $3}' <<<"$VERSION_OUTPUT")
+          test -n "$VERSION"
+          echo "::set-output name=version::$VERSION"
+
+      - name: Generate image FQIN(s) to push
+        id: reponame_reg
+        run: |
+          if [[ "${{ matrix.source }}" == 'stable' ]]; then
+            # The command version in image just built
+            VERSION='v${{ steps.sniff_test.outputs.version }}'
+            # workaround vim syntax-highlight bug: '
+            # Push both new|updated version-tag and latest-tag FQINs
+            FQIN="$REPONAME_QUAY_REGISTRY/stable:$VERSION,$REPONAME_QUAY_REGISTRY/stable:latest"
+          elif [[ "${{ matrix.source }}" == 'testing' ]]; then
+            # Assume some contents changed, always push latest testing.
+            FQIN="$REPONAME_QUAY_REGISTRY/testing:latest"
+          elif [[ "${{ matrix.source }}" == 'upstream' ]]; then
+            # Assume some contents changed, always push latest upstream.
+            FQIN="$REPONAME_QUAY_REGISTRY/upstream:latest"
+          else
+            echo "::error::Unknown matrix item '${{ matrix.source }}'"
+            exit 1
+          fi
+          echo "::warning::Pushing $FQIN"
+          echo "::set-output name=fqin::${FQIN}"
+          echo '::set-output name=push::true'
+
+      # This is substantially similar to the above logic,
+      # but only handles $CONTAINERS_QUAY_REGISTRY for
+      # the stable "latest" and named-version tagged images.
+      - name: Generate containers reg. image FQIN(s)
+        if: matrix.source == 'stable'
+        id: containers_reg
+        run: |
+          VERSION='v${{ steps.sniff_test.outputs.version }}'
+          # workaround vim syntax-highlight bug: '
+          # Push both new|updated version-tag and latest-tag FQINs
+          FQIN="$CONTAINERS_QUAY_REGISTRY/$REPONAME:$VERSION,$CONTAINERS_QUAY_REGISTRY/$REPONAME:latest"
+          echo "::warning::Pushing $FQIN"
+          echo "::set-output name=fqin::${FQIN}"
+          echo '::set-output name=push::true'
+
+      - name: Define LABELS multi-line env. var. value
+        run: |
+          # This is a really hacky/strange workflow idiom, required
+          # for setting multi-line $LABELS value for consumption in
+          # a future step.  There is literally no cleaner way to do this :<
+          # https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#multiline-strings
+          function set_labels() {
+            echo 'LABELS<<DELIMITER' >> "$GITHUB_ENV"
+            for line; do
+                echo "$line" | tee -a "$GITHUB_ENV"
+            done
+            echo "DELIMITER" >> "$GITHUB_ENV"
+          }
+
+          declare -a lines
+          lines=(\
+            "org.opencontainers.image.source=https://github.com/${GITHUB_REPOSITORY}.git"
+            "org.opencontainers.image.revision=${GITHUB_SHA}"
+            "org.opencontainers.image.created=$(date -u --iso-8601=seconds)"
+          )
+
+          # Only the 'stable' matrix source obtains $VERSION
+          if [[ "${{ matrix.source }}" == "stable" ]]; then
+            lines+=(\
+              "org.opencontainers.image.version=${{ steps.sniff_test.outputs.version }}"
+            )
+          fi
+
+          set_labels "${lines[@]}"
+
+      # Separate steps to login and push for $REPONAME_QUAY_REGISTRY and
+      # $CONTAINERS_QUAY_REGISTRY are required, because 2 sets of credentials
+      # are used and namespaced within the registry.  At the same time, reuse
+      # of non-shell steps is not supported by Github Actions nor are YAML
+      # anchors/aliases, nor composite actions.
+
+      # Push to $REPONAME_QUAY_REGISTRY for stable, testing. and upstream
+      - name: Login to ${{ env.REPONAME_QUAY_REGISTRY }}
+        uses: docker/login-action@v1
+        if: steps.reponame_reg.outputs.push == 'true'
+        with:
+          registry: ${{ env.REPONAME_QUAY_REGISTRY }}
+          # N/B: Secrets are not passed to workflows that are triggered
+          #      by a pull request from a fork
+          username: ${{ secrets.REPONAME_QUAY_USERNAME }}
+          password: ${{ secrets.REPONAME_QUAY_PASSWORD }}
+
+      - name: Push images to ${{ steps.reponame_reg.outputs.fqin }}
+        uses: docker/build-push-action@v2
+        if: steps.reponame_reg.outputs.push == 'true'
+        with:
+          cache-from: type=registry,ref=localhost:5000/${{ env.REPONAME }}/${{ matrix.source }}
+          cache-to: type=inline
+          context: contrib/${{ env.REPONAME }}image/${{ matrix.source }}
+          file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile
+          platforms: ${{ env.PLATFORMS }}
+          push: true
+          tags: ${{ steps.reponame_reg.outputs.fqin }}
+          labels: |
+            ${{ env.LABELS }}
+
+      # Push to $CONTAINERS_QUAY_REGISTRY only stable
+      - name: Login to ${{ env.CONTAINERS_QUAY_REGISTRY }}
+        if: steps.containers_reg.outputs.push == 'true'
+        uses: docker/login-action@v1
+        with:
+          registry: ${{ env.CONTAINERS_QUAY_REGISTRY}}
+          username: ${{ secrets.CONTAINERS_QUAY_USERNAME }}
+          password: ${{ secrets.CONTAINERS_QUAY_PASSWORD }}
+
+      - name: Push images to ${{ steps.containers_reg.outputs.fqin }}
+        if: steps.containers_reg.outputs.push == 'true'
+        uses: docker/build-push-action@v2
+        with:
+          cache-from: type=registry,ref=localhost:5000/${{ env.REPONAME }}/${{ matrix.source }}
+          cache-to: type=inline
+          context: contrib/${{ env.REPONAME }}image/${{ matrix.source }}
+          file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile
+          platforms: ${{ env.PLATFORMS }}
+          push: true
+          tags: ${{ steps.containers_reg.outputs.fqin }}
+          labels: |
+            ${{ env.LABELS }}

.github/workflows/stale.yml

@@ -0,0 +1,25 @@
+name: Mark stale issues and pull requests
+
+# Please refer to https://github.com/actions/stale/blob/master/action.yml
+# to see all config knobs of the stale action.
+
+on:
+  schedule:
+  - cron: "0 0 * * *"
+
+jobs:
+  stale:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/stale@v1
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        stale-issue-message: 'A friendly reminder that this issue had no activity for 30 days.'
+        stale-pr-message: 'A friendly reminder that this PR had no activity for 30 days.'
+        stale-issue-label: 'stale-issue'
+        stale-pr-label: 'stale-pr'
+        days-before-stale: 30
+        days-before-close: 365
+        remove-stale-when-updated: true

.gitignore

@@ -1,2 +1,10 @@
-skopeo
-skopeo.1
+*.1
+/layers-*
+/skopeo
+result
+
+# ignore JetBrains IDEs (GoLand) config folder
+.idea
+
+# Ignore the bin directory
+bin

.travis.yml

@@ -1,11 +0,0 @@
-sudo: required
-
-services:
-  - docker
-
-notifications:
-  email: false
-
-script:
-  - make validate
-  - make test-integration

CODE-OF-CONDUCT.md

@@ -0,0 +1,3 @@
+## The skopeo Project Community Code of Conduct
+
+The skopeo project follows the [Containers Community Code of Conduct](https://github.com/containers/common/blob/main/CODE-OF-CONDUCT.md).

CONTRIBUTING.md

@@ -0,0 +1,175 @@
+# Contributing to Skopeo
+
+We'd love to have you join the community! Below summarizes the processes
+that we follow.
+
+## Topics
+
+* [Reporting Issues](#reporting-issues)
+* [Submitting Pull Requests](#submitting-pull-requests)
+* [Communications](#communications)
+<!--
+* [Becoming a Maintainer](#becoming-a-maintainer)
+-->
+
+## Reporting Issues
+
+Before reporting an issue, check our backlog of 
+[open issues](https://github.com/containers/skopeo/issues)
+to see if someone else has already reported it. If so, feel free to add
+your scenario, or additional information, to the discussion. Or simply 
+"subscribe" to it to be notified when it is updated.
+
+If you find a new issue with the project we'd love to hear about it! The most
+important aspect of a bug report is that it includes enough information for
+us to reproduce it. So, please include as much detail as possible and try
+to remove the extra stuff that doesn't really relate to the issue itself.
+The easier it is for us to reproduce it, the faster it'll be fixed!
+
+Please don't include any private/sensitive information in your issue!
+
+## Submitting Pull Requests
+
+No Pull Request (PR) is too small! Typos, additional comments in the code,
+new testcases, bug fixes, new features, more documentation, ... it's all 
+welcome!
+
+While bug fixes can first be identified via an "issue", that is not required.
+It's ok to just open up a PR with the fix, but make sure you include the same
+information you would have included in an issue - like how to reproduce it.
+
+PRs for new features should include some background on what use cases the
+new code is trying to address. When possible and when it makes sense, try to break-up
+larger PRs into smaller ones - it's easier to review smaller
+code changes. But only if those smaller ones make sense as stand-alone PRs.
+
+Regardless of the type of PR, all PRs should include:
+* well documented code changes
+* additional testcases. Ideally, they should fail w/o your code change applied
+* documentation changes
+
+Squash your commits into logical pieces of work that might want to be reviewed
+separate from the rest of the PRs. Ideally, each commit should implement a single
+idea, and the PR branch should pass the tests at every commit.  GitHub makes it easy
+to review the cumulative effect of many commits; so, when in doubt, use smaller commits.
+
+PRs that fix issues should include a reference like `Closes #XXXX` in the
+commit message so that github will automatically close the referenced issue
+when the PR is merged.
+
+<!--
+All PRs require at least two LGTMs (Looks Good To Me) from maintainers.
+-->
+
+### Sign your PRs
+
+The sign-off is a line at the end of the explanation for the patch. Your
+signature certifies that you wrote the patch or otherwise have the right to pass
+it on as an open-source patch. The rules are simple: if you can certify
+the below (from [developercertificate.org](http://developercertificate.org/)):
+
+```
+Developer Certificate of Origin
+Version 1.1
+
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+660 York Street, Suite 102,
+San Francisco, CA 94110 USA
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+    have the right to submit it under the open source license
+    indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+    of my knowledge, is covered under an appropriate open source
+    license and I have the right under that license to submit that
+    work with modifications, whether created in whole or in part
+    by me, under the same open source license (unless I am
+    permitted to submit under a different license), as indicated
+    in the file; or
+
+(c) The contribution was provided directly to me by some other
+    person who certified (a), (b) or (c) and I have not modified
+    it.
+
+(d) I understand and agree that this project and the contribution
+    are public and that a record of the contribution (including all
+    personal information I submit with it, including my sign-off) is
+    maintained indefinitely and may be redistributed consistent with
+    this project or the open source license(s) involved.
+```
+
+Then you just add a line to every git commit message:
+
+    Signed-off-by: Joe Smith <joe.smith@email.com>
+
+Use your real name (sorry, no pseudonyms or anonymous contributions.)
+
+If you set your `user.name` and `user.email` git configs, you can sign your
+commit automatically with `git commit -s`.
+
+### Dependencies management
+
+Dependencies are managed via [standard go modules](https://golang.org/ref/mod).
+
+In order to add a new dependency to this project:
+
+- use `go get -d path/to/dep@version` to add a new line to `go.mod`
+- run `make vendor`
+
+In order to update an existing dependency:
+
+- use `go get -d -u path/to/dep@version` to update the relevant dependency line in `go.mod`
+- run `make vendor`
+
+When new PRs for [containers/image](https://github.com/containers/image) break `skopeo` (i.e. `containers/image` tests fail in `make test-skopeo`):
+
+- create out a new branch in your `skopeo` checkout and switch to it
+- find out the version of `containers/image` you want to use and note its commit ID. You might also want to use a fork of `containers/image`, in that case note its repo
+- use `go get -d github.com/$REPO/image/v5@$COMMIT_ID` to download the right version. The command will fetch the dependency and then fail because of a conflict in `go.mod`, this is expected. Note the pseudo-version (eg. `v5.13.1-0.20210707123201-50afbf0a326`)
+- use `go mod edit -replace=github.com/containers/image/v5=github.com/$REPO/image/v5@$PSEUDO_VERSION` to add a replacement line to `go.mod` (e.g. `replace github.com/containers/image/v5 => github.com/moio/image/v5 v5.13.1-0.20210707123201-50afbf0a3262`)
+- run `make vendor`
+- make any other necessary changes in the skopeo repo (e.g. add other dependencies now required by `containers/image`, or update skopeo for changed `containers/image` API)
+- optionally add new integration tests to the skopeo repo
+- submit the resulting branch as a skopeo PR, marked “DO NOT MERGE”
+- iterate until tests pass and the PR is reviewed
+- then the original `containers/image` PR can be merged, disregarding its `make test-skopeo` failure
+- as soon as possible after that, in the skopeo PR, use `go mod edit -dropreplace=github.com/containers/image` to remove the `replace` line in `go.mod`
+- run `make vendor`
+- update the skopeo PR with the result, drop the “DO NOT MERGE” marking
+- after tests complete successfully again, merge the skopeo PR
+
+## Communications
+
+For general questions, or discussions, please use the 
+IRC group on `irc.freenode.net` called `container-projects`
+that has been setup.
+
+For discussions around issues/bugs and features, you can use the github
+[issues](https://github.com/containers/skopeo/issues)
+and
+[PRs](https://github.com/containers/skopeo/pulls)
+tracking system.
+
+<!--
+## Becoming a Maintainer
+
+To become a maintainer you must first be nominated by an existing maintainer.
+If a majority (>50%) of maintainers agree then the proposal is adopted and
+you will be added to the list.
+
+Removing a maintainer requires at least 75% of the remaining maintainers
+approval, or if the person requests to be removed then it is automatic.
+Normally, a maintainer will only be removed if they are considered to be
+inactive for a long period of time or are viewed as disruptive to the community.
+
+The current list of maintainers can be found in the 
+[MAINTAINERS](MAINTAINERS) file.
+-->

Dockerfile

@@ -1,31 +0,0 @@
-FROM fedora
-
-RUN dnf -y update && dnf install -y make git golang golang-github-cpuguy83-go-md2man golang-github-Sirupsen-logrus-devel golang-github-codegangsta-cli-devel golang-golangorg-net-devel
-
-# Install two versions of the registry. The first is an older version that
-# only supports schema1 manifests. The second is a newer version that supports
-# both. This allows integration-cli tests to cover push/pull with both schema1
-# and schema2 manifests.
-ENV REGISTRY_COMMIT_SCHEMA1 ec87e9b6971d831f0eff752ddb54fb64693e51cd
-ENV REGISTRY_COMMIT 47a064d4195a9b56133891bbb13620c3ac83a827
-#ENV REGISTRY_COMMIT_v1 TODO(runcom)
-RUN set -x \
-	&& export GOPATH="$(mktemp -d)" \
-	&& git clone https://github.com/docker/distribution.git "$GOPATH/src/github.com/docker/distribution" \
-	&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT") \
-	&& GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \
-		go build -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \
-	&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT_SCHEMA1") \
-	&& GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \
-		go build -o /usr/local/bin/registry-v2-schema1 github.com/docker/distribution/cmd/registry \
-	&& rm -rf "$GOPATH"
-
-ENV GOPATH /usr/share/gocode:/go
-WORKDIR /go/src/github.com/runcom/skopeo
-
-#ENTRYPOINT ["hack/dind"]
-
-COPY . /go/src/github.com/runcom/skopeo
-
-# remove distro-supplied dependencies, so we build against them and the rest from vendor/
-RUN rm -rf /go/src/github.com/runcom/skopeo/vendor/golang.org && rm -rf /go/src/github.com/runcom/skopeo/vendor/github.com/Sirupsen && rm -rf /go/src/github.com/runcom/skopeo/vendor/github.com/codegangsta

LICENSE

@@ -1,7 +1,7 @@
 
                                  Apache License
                            Version 2.0, January 2004
-                        http://www.apache.org/licenses/
+                        https://www.apache.org/licenses/
 
    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 
@@ -176,13 +176,11 @@
 
    END OF TERMS AND CONDITIONS
 
-   Copyright 2016 Antonio Murdaca <runcom@redhat.com>
-
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at
 
-       http://www.apache.org/licenses/LICENSE-2.0
+       https://www.apache.org/licenses/LICENSE-2.0
 
    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,

Makefile

@@ -1,51 +1,238 @@
-.PHONY: all binary build clean install install-binary man shell test-integration
+.PHONY: all binary docs docs-in-container build-local clean install install-binary install-completions shell test-integration .install.vndr vendor vendor-in-container
 
-export GO15VENDOREXPERIMENT=1
+export GOPROXY=https://proxy.golang.org
 
-PREFIX ?= ${DESTDIR}/usr
-INSTALLDIR=${PREFIX}/bin
-MANINSTALLDIR=${PREFIX}/share/man
+# On some platforms (eg. macOS, FreeBSD) gpgme is installed in /usr/local/ but /usr/local/include/ is
+# not in the default search path. Rather than hard-code this directory, use gpgme-config.
+# Sadly that must be done at the top-level user instead of locally in the gpgme subpackage, because cgo
+# supports only pkg-config, not general shell scripts, and gpgme does not install a pkg-config file.
+# If gpgme is not installed or gpgme-config can’t be found for other reasons, the error is silently ignored
+# (and the user will probably find out because the cgo compilation will fail).
+GPGME_ENV := CGO_CFLAGS="$(shell gpgme-config --cflags 2>/dev/null)" CGO_LDFLAGS="$(shell gpgme-config --libs 2>/dev/null)"
+
+# The following variables very roughly follow https://www.gnu.org/prep/standards/standards.html#Makefile-Conventions .
+DESTDIR ?=
+PREFIX ?= /usr/local
+CONTAINERSCONFDIR ?= /etc/containers
+REGISTRIESDDIR ?= ${CONTAINERSCONFDIR}/registries.d
+SIGSTOREDIR ?= /var/lib/containers/sigstore
+BINDIR ?= ${PREFIX}/bin
+MANDIR ?= ${PREFIX}/share/man
+BASHCOMPLETIONSDIR ?= ${PREFIX}/share/bash-completion/completions
+
+GO ?= go
+GOBIN := $(shell $(GO) env GOBIN)
+GOOS ?= $(shell go env GOOS)
+GOARCH ?= $(shell go env GOARCH)
+
+ifeq ($(GOBIN),)
+GOBIN := $(GOPATH)/bin
+endif
+
+# Multiple scripts are sensitive to this value, make sure it's exported/available
+# N/B: Need to use 'command -v' here for compatibility with MacOS.
+export CONTAINER_RUNTIME ?= $(if $(shell command -v podman),podman,docker)
+GOMD2MAN ?= $(if $(shell command -v go-md2man),go-md2man,$(GOBIN)/go-md2man)
+
+# Go module support: set `-mod=vendor` to use the vendored sources.
+# See also hack/make.sh.
+ifeq ($(shell go help mod >/dev/null 2>&1 && echo true), true)
+  GO:=GO111MODULE=on $(GO)
+  MOD_VENDOR=-mod=vendor
+endif
+
+ifeq ($(DEBUG), 1)
+  override GOGCFLAGS += -N -l
+endif
+
+ifeq ($(GOOS), linux)
+  ifneq ($(GOARCH),$(filter $(GOARCH),mips mipsle mips64 mips64le ppc64 riscv64))
+    GO_DYN_FLAGS="-buildmode=pie"
+  endif
+endif
 
 GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
-DOCKER_IMAGE := skopeo-dev$(if $(GIT_BRANCH),:$(GIT_BRANCH))
-# set env like gobuildtag?
-DOCKER_FLAGS := docker run --rm -i #$(DOCKER_ENVS)
+
+# If $TESTFLAGS is set, it is passed as extra arguments to 'go test'.
+# You can increase test output verbosity with the option '-test.vv'.
+# You can select certain tests to run, with `-test.run <regex>` for example:
+#
+#     make test-unit TESTFLAGS='-test.run ^TestManifestDigest$'
+#
+# For integration test, we use [gocheck](https://labix.org/gocheck).
+# You can increase test output verbosity with the option '-check.vv'.
+# You can limit test selection with `-check.f <regex>`, for example:
+#
+#     make test-integration TESTFLAGS='-check.f CopySuite.TestCopy.*'
+export TESTFLAGS ?= -v -check.v -test.timeout=15m
+
+# This is assumed to be set non-empty when operating inside a CI/automation environment
+CI ?=
+
+# This env. var. is interpreted by some tests as a permission to
+# modify local configuration files and services.
+export SKOPEO_CONTAINER_TESTS ?= $(if $(CI),1,0)
+
+# This is a compromise, we either use a container for this or require
+# the local user to have a compatible python3 development environment.
+# Define it as a "resolve on use" variable to avoid calling out when possible
+SKOPEO_CIDEV_CONTAINER_FQIN ?= $(shell hack/get_fqin.sh)
+CONTAINER_CMD ?= ${CONTAINER_RUNTIME} run --rm -i -e TESTFLAGS="$(TESTFLAGS)" -e CI=$(CI) -e SKOPEO_CONTAINER_TESTS=1
 # if this session isn't interactive, then we don't want to allocate a
 # TTY, which would fail, but if it is interactive, we do want to attach
 # so that the user can send e.g. ^C through.
 INTERACTIVE := $(shell [ -t 0 ] && echo 1 || echo 0)
 ifeq ($(INTERACTIVE), 1)
-	DOCKER_FLAGS += -t
+	CONTAINER_CMD += -t
 endif
-DOCKER_RUN_DOCKER := $(DOCKER_FLAGS) "$(DOCKER_IMAGE)"
+CONTAINER_GOSRC = /src/github.com/containers/skopeo
+CONTAINER_RUN ?= $(CONTAINER_CMD) --security-opt label=disable -v $(CURDIR):$(CONTAINER_GOSRC) -w $(CONTAINER_GOSRC) $(SKOPEO_CIDEV_CONTAINER_FQIN)
 
-all: man binary
+GIT_COMMIT := $(shell git rev-parse HEAD 2> /dev/null || true)
 
-binary:
-	go build -o ${DEST}skopeo .
+EXTRA_LDFLAGS ?=
+SKOPEO_LDFLAGS := -ldflags '-X main.gitCommit=${GIT_COMMIT} $(EXTRA_LDFLAGS)'
 
-build-container:
-	docker build ${DOCKER_BUILD_ARGS} -t "$(DOCKER_IMAGE)" .
+MANPAGES_MD = $(wildcard docs/*.md)
+MANPAGES ?= $(MANPAGES_MD:%.md=%)
+
+BTRFS_BUILD_TAG = $(shell hack/btrfs_tag.sh) $(shell hack/btrfs_installed_tag.sh)
+LIBDM_BUILD_TAG = $(shell hack/libdm_tag.sh)
+LIBSUBID_BUILD_TAG = $(shell hack/libsubid_tag.sh)
+LOCAL_BUILD_TAGS = $(BTRFS_BUILD_TAG) $(LIBDM_BUILD_TAG) $(LIBSUBID_BUILD_TAG)
+BUILDTAGS += $(LOCAL_BUILD_TAGS)
+
+ifeq ($(DISABLE_CGO), 1)
+	override BUILDTAGS = exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp
+endif
+
+#   make all DEBUG=1
+#     Note: Uses the -N -l go compiler options to disable compiler optimizations
+#           and inlining. Using these build options allows you to subsequently
+#           use source debugging tools like delve.
+all: bin/skopeo docs
+
+codespell:
+	codespell -S Makefile,build,buildah,buildah.spec,imgtype,copy,AUTHORS,bin,vendor,.git,go.sum,CHANGELOG.md,changelog.txt,seccomp.json,.cirrus.yml,"*.xz,*.gz,*.tar,*.tgz,*ico,*.png,*.1,*.5,*.orig,*.rej" -L fpr,uint,iff,od,ERRO -w
+
+help:
+	@echo "Usage: make <target>"
+	@echo
+	@echo "Defaults to building bin/skopeo and docs"
+	@echo
+	@echo " * 'install' - Install binaries and documents to system locations"
+	@echo " * 'binary' - Build skopeo with a container"
+	@echo " * 'bin/skopeo' - Build skopeo locally"
+	@echo " * 'test-unit' - Execute unit tests"
+	@echo " * 'test-integration' - Execute integration tests"
+	@echo " * 'validate' - Verify whether there is no conflict and all Go source files have been formatted, linted and vetted"
+	@echo " * 'check' - Including above validate, test-integration and test-unit"
+	@echo " * 'shell' - Run the built image and attach to a shell"
+	@echo " * 'clean' - Clean artifacts"
+
+# Do the build and the output (skopeo) should appear in current dir
+binary: cmd/skopeo
+	$(CONTAINER_RUN) make bin/skopeo $(if $(DEBUG),DEBUG=$(DEBUG)) BUILDTAGS='$(BUILDTAGS)'
+
+# Build w/o using containers
+.PHONY: bin/skopeo
+bin/skopeo:
+	$(GPGME_ENV) $(GO) build $(MOD_VENDOR) ${GO_DYN_FLAGS} ${SKOPEO_LDFLAGS} -gcflags "$(GOGCFLAGS)" -tags "$(BUILDTAGS)" -o $@ ./cmd/skopeo
+bin/skopeo.%:
+	GOOS=$(word 2,$(subst ., ,$@)) GOARCH=$(word 3,$(subst ., ,$@)) $(GO) build $(MOD_VENDOR) ${SKOPEO_LDFLAGS} -tags "containers_image_openpgp $(BUILDTAGS)" -o $@ ./cmd/skopeo
+local-cross: bin/skopeo.darwin.amd64 bin/skopeo.linux.arm bin/skopeo.linux.arm64 bin/skopeo.windows.386.exe bin/skopeo.windows.amd64.exe
+
+$(MANPAGES): %: %.md
+ifneq ($(DISABLE_DOCS), 1)
+	sed -e 's/\((skopeo.*\.md)\)//' -e 's/\[\(skopeo.*\)\]/\1/' $<  | $(GOMD2MAN) -in /dev/stdin -out $@
+endif
+
+docs: $(MANPAGES)
+
+docs-in-container:
+	${CONTAINER_RUN} $(MAKE) docs $(if $(DEBUG),DEBUG=$(DEBUG))
 
 clean:
-	rm -f skopeo
-	rm -f skopeo.1
+	rm -rf bin docs/*.1
 
-install: install-binary
-	install -m 644 skopeo.1 ${MANINSTALLDIR}/man1/
+install: install-binary install-docs install-completions
+	install -d -m 755 ${DESTDIR}${SIGSTOREDIR}
+	install -d -m 755 ${DESTDIR}${CONTAINERSCONFDIR}
+	install -m 644 default-policy.json ${DESTDIR}${CONTAINERSCONFDIR}/policy.json
+	install -d -m 755 ${DESTDIR}${REGISTRIESDDIR}
+	install -m 644 default.yaml ${DESTDIR}${REGISTRIESDDIR}/default.yaml
 
-install-binary:
-	install -d -m 0755 ${INSTALLDIR}
-	install -m 755 skopeo ${INSTALLDIR}
+install-binary: bin/skopeo
+	install -d -m 755 ${DESTDIR}${BINDIR}
+	install -m 755 bin/skopeo ${DESTDIR}${BINDIR}/skopeo
 
-man:
-	go-md2man -in man/skopeo.1.md -out skopeo.1
+install-docs: docs
+ifneq ($(DISABLE_DOCS), 1)
+	install -d -m 755 ${DESTDIR}${MANDIR}/man1
+	install -m 644 docs/*.1 ${DESTDIR}${MANDIR}/man1
+endif
 
-shell: build-container
-	$(DOCKER_RUN_DOCKER) bash
+install-completions:
+	install -m 755 -d ${DESTDIR}${BASHCOMPLETIONSDIR}
+	install -m 644 completions/bash/skopeo ${DESTDIR}${BASHCOMPLETIONSDIR}/skopeo
 
-test-integration: build-container
-	$(DOCKER_RUN_DOCKER) hack/make.sh test-integration
+shell:
+	$(CONTAINER_RUN) bash
 
-validate: build-container
-	$(DOCKER_RUN_DOCKER) hack/make.sh validate-git-marks validate-gofmt validate-lint validate-vet
+check: validate test-unit test-integration test-system
+
+test-integration:
+	$(CONTAINER_RUN) $(MAKE) test-integration-local
+
+
+# Intended for CI, assumed to be running in quay.io/libpod/skopeo_cidev container.
+test-integration-local: bin/skopeo
+	hack/make.sh test-integration
+
+# complicated set of options needed to run podman-in-podman
+# TODO: The $(RM) command will likely fail w/o `podman unshare`
+test-system:
+	DTEMP=$(shell mktemp -d --tmpdir=/var/tmp podman-tmp.XXXXXX); \
+	$(CONTAINER_CMD) --privileged \
+		-v $(CURDIR):$(CONTAINER_GOSRC) -w $(CONTAINER_GOSRC) \
+		-v $$DTEMP:/var/lib/containers:Z -v /run/systemd/journal/socket:/run/systemd/journal/socket \
+		"$(SKOPEO_CIDEV_CONTAINER_FQIN)" \
+			$(MAKE) test-system-local; \
+	rc=$$?; \
+	-$(RM) -rf $$DTEMP; \
+	exit $$rc
+
+# Intended for CI, assumed to already be running in quay.io/libpod/skopeo_cidev container.
+test-system-local: bin/skopeo
+	hack/make.sh test-system
+
+test-unit:
+	# Just call (make test unit-local) here instead of worrying about environment differences
+	$(CONTAINER_RUN) $(MAKE) test-unit-local
+
+validate:
+	$(CONTAINER_RUN) $(MAKE) validate-local
+
+# This target is only intended for development, e.g. executing it from an IDE. Use (make test) for CI or pre-release testing.
+test-all-local: validate-local validate-docs test-unit-local
+
+.PHONY: validate-local
+validate-local:
+	BUILDTAGS="${BUILDTAGS}" hack/make.sh validate-git-marks validate-gofmt validate-lint validate-vet
+
+# This invokes bin/skopeo, hence cannot be run as part of validate-local
+.PHONY: validate-docs
+validate-docs:
+	hack/man-page-checker
+	hack/xref-helpmsgs-manpages
+
+test-unit-local: bin/skopeo
+	$(GPGME_ENV) $(GO) test $(MOD_VENDOR) -tags "$(BUILDTAGS)" $$($(GO) list $(MOD_VENDOR) -tags "$(BUILDTAGS)" -e ./... | grep -v '^github\.com/containers/skopeo/\(integration\|vendor/.*\)$$')
+
+vendor:
+	$(GO) mod tidy
+	$(GO) mod vendor
+	$(GO) mod verify
+
+vendor-in-container:
+	podman run --privileged --rm --env HOME=/root -v $(CURDIR):/src -w /src quay.io/libpod/golang:1.16 $(MAKE) vendor

OWNERS

@@ -0,0 +1,17 @@
+approvers:
+  - mtrmac
+  - lsm5
+  - TomSweeneyRedHat
+  - rhatdan
+  - vrothberg
+reviewers:
+  - ashley-cui
+  - giuseppe
+  - containers/image-maintainers
+  - lsm5
+  - mtrmac
+  - QiWang19
+  - rhatdan
+  - runcom
+  - TomSweeneyRedHat
+  - vrothberg

README.md

@@ -1,115 +1,215 @@
-skopeo [![Build Status](https://travis-ci.org/runcom/skopeo.svg?branch=master)](https://travis-ci.org/runcom/skopeo)
+skopeo [![Build Status](https://travis-ci.org/containers/skopeo.svg?branch=master)](https://travis-ci.org/containers/skopeo)
 =
 
-_Please be aware `skopeo` is still work in progress_
+<img src="https://cdn.rawgit.com/containers/skopeo/master/docs/skopeo.svg" width="250">
 
-`skopeo` is a command line utility which is able to _inspect_ a repository on a Docker registry.
-By _inspect_ I mean it fetches the repository's manifest and it is able to show you a `docker inspect`-like
-json output about a whole repository or a tag. This tool, in constrast to `docker inspect`, helps you gather useful information about
-a repository or a tag before pulling it (using disk space) - e.g. - which tags are available for the given repository? which labels the image has?
+----
+
+`skopeo` is a command line utility that performs various operations on container images and image repositories.
+
+`skopeo` does not require the user to be running as root to do most of its operations.
+
+`skopeo` does not require a daemon to be running to perform its operations.
+
+`skopeo` can work with [OCI images](https://github.com/opencontainers/image-spec) as well as the original Docker v2 images.
+
+Skopeo works with API V2 container image registries such as [docker.io](https://docker.io) and [quay.io](https://quay.io) registries, private registries, local directories and local OCI-layout directories. Skopeo can perform operations which consist of:
+
+ * Copying an image from and to various storage mechanisms.
+   For example you can copy images from one registry to another, without requiring privilege.
+ * Inspecting a remote image showing its properties including its layers, without requiring you to pull the image to the host.
+ * Deleting an image from an image repository.
+ * Syncing an external image repository to an internal registry for air-gapped deployments.
+ * When required by the repository, skopeo can pass the appropriate credentials and certificates for authentication.
+
+ Skopeo operates on the following image and repository types:
+
+ * containers-storage:docker-reference
+         An image located in a local containers/storage image store.  Both the location and image store are specified in /etc/containers/storage.conf. (This is  the backend for [Podman](https://podman.io), [CRI-O](https://cri-o.io), [Buildah](https://buildah.io) and friends)
+
+ * dir:path
+         An existing local directory path storing the manifest, layer tarballs and signatures as individual files. This is a non-standardized format, primarily useful for debugging or noninvasive container inspection.
+
+ * docker://docker-reference
+         An image in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in `$XDG_RUNTIME_DIR/containers/auth.json`, which is set using `skopeo login`.
+
+ * docker-archive:path[:docker-reference]
+         An image is stored in a `docker save`-formatted file.  docker-reference is only used when creating such a file, and it must not contain a digest.
+
+ * docker-daemon:docker-reference
+         An image docker-reference stored in the docker daemon internal storage.  docker-reference must contain either a tag or a digest.  Alternatively, when reading images, the format can also be docker-daemon:algo:digest (an image ID).
+
+ * oci:path:tag
+         An image tag in a directory compliant with "Open Container Image Layout Specification" at path.
+
+## Inspecting a repository
+`skopeo` is able to _inspect_ a repository on a container registry and fetch images layers.
+The _inspect_ command fetches the repository's manifest and it is able to show you a `docker inspect`-like
+json output about a whole repository or a tag. This tool, in contrast to `docker inspect`, helps you gather useful information about
+a repository or a tag before pulling it (using disk space).  The inspect command can show you which tags are available for the given 
+repository, the labels the image has, the creation date and operating system of the image and more.  
 
 Examples:
-```sh
-# show repository's labels of rhel7:latest
-$ skopeo registry.access.redhat.com/rhel7 | jq '.Config.Labels'
+
+#### Show properties of fedora:latest
+```console
+$ skopeo inspect docker://registry.fedoraproject.org/fedora:latest
 {
-  "Architecture": "x86_64",
-  "Authoritative_Registry": "registry.access.redhat.com",
-  "BZComponent": "rhel-server-docker",
-  "Build_Host": "rcm-img04.build.eng.bos.redhat.com",
-  "Name": "rhel7/rhel",
-  "Release": "38",
-  "Vendor": "Red Hat, Inc.",
-  "Version": "7.2"
+    "Name": "registry.fedoraproject.org/fedora",
+    "Digest": "sha256:655721ff613ee766a4126cb5e0d5ae81598e1b0c3bcf7017c36c4d72cb092fe9",
+    "RepoTags": [
+        "24",
+        "25",
+        "26-modular",
+	...
+    ],
+    "Created": "2020-04-29T06:48:16Z",
+    "DockerVersion": "1.10.1",
+    "Labels": {
+        "license": "MIT",
+        "name": "fedora",
+        "vendor": "Fedora Project",
+        "version": "32"
+    },
+    "Architecture": "amd64",
+    "Os": "linux",
+    "Layers": [
+        "sha256:3088721d7dbf674fc0be64cd3cf00c25aab921cacf35fa0e7b1578500a3e1653"
+    ],
+    "Env": [
+        "DISTTAG=f32container",
+        "FGC=f32",
+        "container=oci"
+    ]
 }
-
-# show repository's tags
-$ skopeo docker.io/fedora | jq '.RepoTags'
-[
-  "20",
-  "21",
-  "22",
-  "23",
-  "heisenbug",
-  "latest",
-  "rawhide"
-]
-
-# show image's digest
-$ skopeo docker.io/fedora:rawhide | jq '.Digest'
-"sha256:905b4846938c8aef94f52f3e41a11398ae5b40f5855fb0e40ed9c157e721d7f8"
 ```
 
-Private registries with authentication
--
-When interacting with private registries, `skopeo` first looks for the Docker's cli config file (usually located at `$HOME/.docker/config.json`) to get the credentials needed to authenticate. When the file isn't available it falls back looking for `--username` and `--password` flags. The ultimate fallback, as Docker does, is to provide an empty authentication when interacting with those registries.
+#### Show container configuration from `fedora:latest`
 
-Examples:
-```sh
-# on my system
-$ skopeo --help | grep docker-cfg
-   --docker-cfg "/home/runcom/.docker"	Docker's cli config for auth
-
-$ cat /home/runcom/.docker/config.json
+```console
+$ skopeo inspect --config docker://registry.fedoraproject.org/fedora:latest  | jq
 {
-	"auths": {
-		"myregistrydomain.com:5000": {
-			"auth": "dGVzdHVzZXI6dGVzdHBhc3N3b3Jk",
-			"email": "stuf@ex.cm"
-		}
-	}
+  "created": "2020-04-29T06:48:16Z",
+  "architecture": "amd64",
+  "os": "linux",
+  "config": {
+    "Env": [
+      "DISTTAG=f32container",
+      "FGC=f32",
+      "container=oci"
+    ],
+    "Cmd": [
+      "/bin/bash"
+    ],
+    "Labels": {
+      "license": "MIT",
+      "name": "fedora",
+      "vendor": "Fedora Project",
+      "version": "32"
+    }
+  },
+  "rootfs": {
+    "type": "layers",
+    "diff_ids": [
+      "sha256:a4c0fa2b217d3fd63d51e55a6fd59432e543d499c0df2b1acd48fbe424f2ddd1"
+    ]
+  },
+  "history": [
+    {
+      "created": "2020-04-29T06:48:16Z",
+      "comment": "Created by Image Factory"
+    }
+  ]
 }
+```
+#### Show unverified image's digest
+```console
+$ skopeo inspect docker://registry.fedoraproject.org/fedora:latest | jq '.Digest'
+"sha256:655721ff613ee766a4126cb5e0d5ae81598e1b0c3bcf7017c36c4d72cb092fe9"
+```
 
-# we can see I'm already authenticated via docker login so everything will be fine
-$ skopeo myregistrydomain.com:5000/busybox
+## Copying images
+
+`skopeo` can copy container images between various storage mechanisms, including:
+* Container registries
+
+  -  The Quay, Docker Hub, OpenShift, GCR, Artifactory ...
+
+* Container Storage backends
+
+  -  [github.com/containers/storage](https://github.com/containers/storage) (Backend for [Podman](https://podman.io), [CRI-O](https://cri-o.io), [Buildah](https://buildah.io) and friends)
+
+  -  Docker daemon storage
+
+* Local directories
+
+* Local OCI-layout directories
+
+```console
+$ skopeo copy docker://quay.io/buildah/stable docker://registry.internal.company.com/buildah
+$ skopeo copy oci:busybox_ocilayout:latest dir:existingemptydirectory
+```
+
+## Deleting images
+```console
+$ skopeo delete docker://localhost:5000/imagename:latest
+```
+
+## Syncing registries
+```console
+$ skopeo sync --src docker --dest dir registry.example.com/busybox /media/usb
+```
+
+## Authenticating to a registry
+
+#### Private registries with authentication
+skopeo uses credentials from the --creds (for skopeo inspect|delete) or --src-creds|--dest-creds (for skopeo copy) flags, if set; otherwise it uses configuration set by skopeo login, podman login, buildah login, or docker login.
+
+```console
+$ skopeo login --username USER myregistrydomain.com:5000
+Password:
+$ skopeo inspect docker://myregistrydomain.com:5000/busybox
 {"Tag":"latest","Digest":"sha256:473bb2189d7b913ed7187a33d11e743fdc2f88931122a44d91a301b64419f092","RepoTags":["latest"],"Comment":"","Created":"2016-01-15T18:06:41.282540103Z","ContainerConfig":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["/bin/sh","-c","#(nop) CMD [\"sh\"]"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"DockerVersion":"1.8.3","Author":"","Config":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["sh"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"Architecture":"amd64","Os":"linux"}
+$ skopeo logout myregistrydomain.com:5000
+```
 
-# let's try now to fake a non existent Docker's config file
-$ skopeo --docker-cfg="" myregistrydomain.com:5000/busybox
-FATA[0000] Get https://myregistrydomain.com:5000/v2/busybox/manifests/latest: no basic auth credentials
+#### Using --creds directly
 
-# passing --username and --password - we can see that everything goes fine
-$ skopeo --docker-cfg="" --username=testuser --password=testpassword myregistrydomain.com:5000/busybox
+```console
+$ skopeo inspect --creds=testuser:testpassword docker://myregistrydomain.com:5000/busybox
 {"Tag":"latest","Digest":"sha256:473bb2189d7b913ed7187a33d11e743fdc2f88931122a44d91a301b64419f092","RepoTags":["latest"],"Comment":"","Created":"2016-01-15T18:06:41.282540103Z","ContainerConfig":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["/bin/sh","-c","#(nop) CMD [\"sh\"]"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"DockerVersion":"1.8.3","Author":"","Config":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["sh"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"Architecture":"amd64","Os":"linux"}
 ```
-If your cli config is found but it doesn't contain the necessary credentials for the queried registry
-you'll get an error. You can fix this by either logging in (via `docker login`) or providing `--username`
-and `--password`.
-Building
--
-To build `skopeo` you need at least Go 1.5 because it uses the latest `GO15VENDOREXPERIMENT` flag. Also, make sure to clone the repository in your `GOPATH` - otherwise compilation fails.
-```sh
-$ cd $GOPATH/src/github.com # make sure you have github.com folder otherwise just create it
-$ git clone https://github.com/runcom/skopeo
-$ cd runcom && make binary
-```
-Man:
--
-To build the man page you need [`go-md2man`](https://github.com/cpuguy83/go-md2man) available on your system, then:
-```
-$ make man
-```
-Installing
--
-```sh
-$ sudo make install
-```
-Tests
--
-_You need Docker installed on your system in order to run the test suite_
-```sh
-$ make test-integration
-```
-TODO
--
-- show repo tags via flag or when reference isn't tagged or digested
-- add tests (integration with deployed registries in container - Docker-like)
-- support rkt/appc image spec
 
-NOT TODO
+```console
+$ skopeo copy --src-creds=testuser:testpassword docker://myregistrydomain.com:5000/private oci:local_oci_image
+```
+
+[Obtaining skopeo](./install.md)
 -
-- provide a _format_ flag - just use the awesome [jq](https://stedolan.github.io/jq/)
+
+For a detailed description how to install or build skopeo, see
+[install.md](./install.md).
+
+Contributing
+-
+
+Please read the [contribution guide](CONTRIBUTING.md) if you want to collaborate in the project.
+
+## Commands
+| Command                                            | Description                                                                                  |
+| -------------------------------------------------- | ---------------------------------------------------------------------------------------------|
+| [skopeo-copy(1)](/docs/skopeo-copy.1.md)           | Copy an image (manifest, filesystem layers, signatures) from one location to another.        |
+| [skopeo-delete(1)](/docs/skopeo-delete.1.md)       | Mark the image-name for later deletion by the registry's garbage collector.                                                                |
+| [skopeo-inspect(1)](/docs/skopeo-inspect.1.md)     | Return  low-level  information about image-name in a registry.                                |
+| [skopeo-list-tags(1)](/docs/skopeo-list-tags.1.md) | Return a list of tags for the transport-specific image repository.                               |
+| [skopeo-login(1)](/docs/skopeo-login.1.md)         | Login to a container registry.                                                               |
+| [skopeo-logout(1)](/docs/skopeo-logout.1.md)       | Logout of a container registry.                                                              |
+| [skopeo-manifest-digest(1)](/docs/skopeo-manifest-digest.1.md)    | Compute a manifest digest for a manifest-file and write it to standard output.   |
+| [skopeo-standalone-sign(1)](/docs/skopeo-standalone-sign.1.md)    | Debugging tool - Publish and sign an image in one step.                                                         |
+| [skopeo-standalone-verify(1)](/docs/skopeo-standalone-verify.1.md)| Verify an image signature.                                                    |
+| [skopeo-sync(1)](/docs/skopeo-sync.1.md)           | Synchronize images between container registries and local directories.                       |
 
 License
 -
-ASL 2.0
+skopeo is licensed under the Apache License, Version 2.0. See
+[LICENSE](LICENSE) for the full license text.

SECURITY.md

@@ -0,0 +1,3 @@
+## Security and Disclosure Information Policy for the skopeo Project
+
+The skopeo Project follows the [Security and Disclosure Information Policy](https://github.com/containers/common/blob/main/SECURITY.md) for the Containers Projects.

cmd/skopeo/cgo_pthread_ordering_workaround.go

@@ -0,0 +1,35 @@
+//go:build !containers_image_openpgp
+// +build !containers_image_openpgp
+
+package main
+
+/*
+This is a pretty horrible workaround.  Due to a glibc bug
+https://bugzilla.redhat.com/show_bug.cgi?id=1326903 , we must ensure we link
+with -lgpgme before -lpthread.  Such arguments come from various packages
+using cgo, and the ordering of these arguments is, with current (go tool link),
+dependent on the order in which the cgo-using packages are found in a
+breadth-first search following dependencies, starting from “main”.
+
+Thus, if
+   import "net"
+is processed before
+   import "…/skopeo/signature"
+it will, in the next level of the BFS, pull in "runtime/cgo" (a dependency of
+"net") before "mtrmac/gpgme" (a dependency of "…/skopeo/signature"), causing
+-lpthread (used by "runtime/cgo") to be used before -lgpgme.
+
+This might be possible to work around by careful import ordering, or by removing
+a direct dependency on "net", but that would be very fragile.
+
+So, until the above bug is fixed, add -lgpgme directly in the "main" package
+to ensure the needed build order.
+
+Unfortunately, this workaround needs to be applied at the top level of any user
+of "…/skopeo/signature"; it cannot be added to "…/skopeo/signature" itself,
+by that time this package is first processed by the linker, a -lpthread may
+already be queued and it would be too late.
+*/
+
+// #cgo LDFLAGS: -lgpgme
+import "C"

cmd/skopeo/copy.go

@@ -0,0 +1,259 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"strings"
+
+	commonFlag "github.com/containers/common/pkg/flag"
+	"github.com/containers/common/pkg/retry"
+	"github.com/containers/image/v5/copy"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/pkg/cli"
+	"github.com/containers/image/v5/transports"
+	"github.com/containers/image/v5/transports/alltransports"
+	encconfig "github.com/containers/ocicrypt/config"
+	enchelpers "github.com/containers/ocicrypt/helpers"
+	"github.com/spf13/cobra"
+)
+
+type copyOptions struct {
+	global              *globalOptions
+	deprecatedTLSVerify *deprecatedTLSVerifyOption
+	srcImage            *imageOptions
+	destImage           *imageDestOptions
+	retryOpts           *retry.RetryOptions
+	additionalTags      []string                  // For docker-archive: destinations, in addition to the name:tag specified as destination, also add these
+	removeSignatures    bool                      // Do not copy signatures from the source image
+	signByFingerprint   string                    // Sign the image using a GPG key with the specified fingerprint
+	signPassphraseFile  string                    // Path pointing to a passphrase file when signing
+	digestFile          string                    // Write digest to this file
+	format              commonFlag.OptionalString // Force conversion of the image to a specified format
+	quiet               bool                      // Suppress output information when copying images
+	all                 bool                      // Copy all of the images if the source is a list
+	multiArch           commonFlag.OptionalString // How to handle multi architecture images
+	preserveDigests     bool                      // Preserve digests during copy
+	encryptLayer        []int                     // The list of layers to encrypt
+	encryptionKeys      []string                  // Keys needed to encrypt the image
+	decryptionKeys      []string                  // Keys needed to decrypt the image
+}
+
+func copyCmd(global *globalOptions) *cobra.Command {
+	sharedFlags, sharedOpts := sharedImageFlags()
+	deprecatedTLSVerifyFlags, deprecatedTLSVerifyOpt := deprecatedTLSVerifyFlags()
+	srcFlags, srcOpts := imageFlags(global, sharedOpts, deprecatedTLSVerifyOpt, "src-", "screds")
+	destFlags, destOpts := imageDestFlags(global, sharedOpts, deprecatedTLSVerifyOpt, "dest-", "dcreds")
+	retryFlags, retryOpts := retryFlags()
+	opts := copyOptions{global: global,
+		deprecatedTLSVerify: deprecatedTLSVerifyOpt,
+		srcImage:            srcOpts,
+		destImage:           destOpts,
+		retryOpts:           retryOpts,
+	}
+	cmd := &cobra.Command{
+		Use:   "copy [command options] SOURCE-IMAGE DESTINATION-IMAGE",
+		Short: "Copy an IMAGE-NAME from one location to another",
+		Long: fmt.Sprintf(`Container "IMAGE-NAME" uses a "transport":"details" format.
+
+Supported transports:
+%s
+
+See skopeo(1) section "IMAGE NAMES" for the expected format
+`, strings.Join(transports.ListNames(), ", ")),
+		RunE:    commandAction(opts.run),
+		Example: `skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest`,
+	}
+	adjustUsage(cmd)
+	flags := cmd.Flags()
+	flags.AddFlagSet(&sharedFlags)
+	flags.AddFlagSet(&deprecatedTLSVerifyFlags)
+	flags.AddFlagSet(&srcFlags)
+	flags.AddFlagSet(&destFlags)
+	flags.AddFlagSet(&retryFlags)
+	flags.StringSliceVar(&opts.additionalTags, "additional-tag", []string{}, "additional tags (supports docker-archive)")
+	flags.BoolVarP(&opts.quiet, "quiet", "q", false, "Suppress output information when copying images")
+	flags.BoolVarP(&opts.all, "all", "a", false, "Copy all images if SOURCE-IMAGE is a list")
+	flags.Var(commonFlag.NewOptionalStringValue(&opts.multiArch), "multi-arch", `How to handle multi-architecture images (system, all, or index-only)`)
+	flags.BoolVar(&opts.preserveDigests, "preserve-digests", false, "Preserve digests of images and lists")
+	flags.BoolVar(&opts.removeSignatures, "remove-signatures", false, "Do not copy signatures from SOURCE-IMAGE")
+	flags.StringVar(&opts.signByFingerprint, "sign-by", "", "Sign the image using a GPG key with the specified `FINGERPRINT`")
+	flags.StringVar(&opts.signPassphraseFile, "sign-passphrase-file", "", "File that contains a passphrase for the --sign-by key")
+	flags.StringVar(&opts.digestFile, "digestfile", "", "Write the digest of the pushed image to the specified file")
+	flags.VarP(commonFlag.NewOptionalStringValue(&opts.format), "format", "f", `MANIFEST TYPE (oci, v2s1, or v2s2) to use in the destination (default is manifest type of source, with fallbacks)`)
+	flags.StringSliceVar(&opts.encryptionKeys, "encryption-key", []string{}, "*Experimental* key with the encryption protocol to use needed to encrypt the image (e.g. jwe:/path/to/key.pem)")
+	flags.IntSliceVar(&opts.encryptLayer, "encrypt-layer", []int{}, "*Experimental* the 0-indexed layer indices, with support for negative indexing (e.g. 0 is the first layer, -1 is the last layer)")
+	flags.StringSliceVar(&opts.decryptionKeys, "decryption-key", []string{}, "*Experimental* key needed to decrypt the image")
+	return cmd
+}
+
+// parseMultiArch parses the list processing selection
+// It returns the copy.ImageListSelection to use with image.Copy option
+func parseMultiArch(multiArch string) (copy.ImageListSelection, error) {
+	switch multiArch {
+	case "system":
+		return copy.CopySystemImage, nil
+	case "all":
+		return copy.CopyAllImages, nil
+	// There is no CopyNoImages value in copy.ImageListSelection, but because we
+	// don't provide an option to select a set of images to copy, we can use
+	// CopySpecificImages.
+	case "index-only":
+		return copy.CopySpecificImages, nil
+	// We don't expose CopySpecificImages other than index-only above, because
+	// we currently don't provide an option to choose the images to copy. That
+	// could be added in the future.
+	default:
+		return copy.CopySystemImage, fmt.Errorf("unknown multi-arch option %q. Choose one of the supported options: 'system', 'all', or 'index-only'", multiArch)
+	}
+}
+
+func (opts *copyOptions) run(args []string, stdout io.Writer) error {
+	if len(args) != 2 {
+		return errorShouldDisplayUsage{errors.New("Exactly two arguments expected")}
+	}
+	opts.deprecatedTLSVerify.warnIfUsed([]string{"--src-tls-verify", "--dest-tls-verify"})
+	imageNames := args
+
+	if err := reexecIfNecessaryForImages(imageNames...); err != nil {
+		return err
+	}
+
+	policyContext, err := opts.global.getPolicyContext()
+	if err != nil {
+		return fmt.Errorf("Error loading trust policy: %v", err)
+	}
+	defer policyContext.Destroy()
+
+	srcRef, err := alltransports.ParseImageName(imageNames[0])
+	if err != nil {
+		return fmt.Errorf("Invalid source name %s: %v", imageNames[0], err)
+	}
+	destRef, err := alltransports.ParseImageName(imageNames[1])
+	if err != nil {
+		return fmt.Errorf("Invalid destination name %s: %v", imageNames[1], err)
+	}
+
+	sourceCtx, err := opts.srcImage.newSystemContext()
+	if err != nil {
+		return err
+	}
+	destinationCtx, err := opts.destImage.newSystemContext()
+	if err != nil {
+		return err
+	}
+
+	var manifestType string
+	if opts.format.Present() {
+		manifestType, err = parseManifestFormat(opts.format.Value())
+		if err != nil {
+			return err
+		}
+	}
+
+	for _, image := range opts.additionalTags {
+		ref, err := reference.ParseNormalizedNamed(image)
+		if err != nil {
+			return fmt.Errorf("error parsing additional-tag '%s': %v", image, err)
+		}
+		namedTagged, isNamedTagged := ref.(reference.NamedTagged)
+		if !isNamedTagged {
+			return fmt.Errorf("additional-tag '%s' must be a tagged reference", image)
+		}
+		destinationCtx.DockerArchiveAdditionalTags = append(destinationCtx.DockerArchiveAdditionalTags, namedTagged)
+	}
+
+	ctx, cancel := opts.global.commandTimeoutContext()
+	defer cancel()
+
+	if opts.quiet {
+		stdout = nil
+	}
+
+	imageListSelection := copy.CopySystemImage
+	if opts.multiArch.Present() && opts.all {
+		return fmt.Errorf("Cannot use --all and --multi-arch flags together")
+	}
+	if opts.multiArch.Present() {
+		imageListSelection, err = parseMultiArch(opts.multiArch.Value())
+		if err != nil {
+			return err
+		}
+	}
+	if opts.all {
+		imageListSelection = copy.CopyAllImages
+	}
+
+	if len(opts.encryptionKeys) > 0 && len(opts.decryptionKeys) > 0 {
+		return fmt.Errorf("--encryption-key and --decryption-key cannot be specified together")
+	}
+
+	var encLayers *[]int
+	var encConfig *encconfig.EncryptConfig
+	var decConfig *encconfig.DecryptConfig
+
+	if len(opts.encryptLayer) > 0 && len(opts.encryptionKeys) == 0 {
+		return fmt.Errorf("--encrypt-layer can only be used with --encryption-key")
+	}
+
+	if len(opts.encryptionKeys) > 0 {
+		// encryption
+		p := opts.encryptLayer
+		encLayers = &p
+		encryptionKeys := opts.encryptionKeys
+		ecc, err := enchelpers.CreateCryptoConfig(encryptionKeys, []string{})
+		if err != nil {
+			return fmt.Errorf("Invalid encryption keys: %v", err)
+		}
+		cc := encconfig.CombineCryptoConfigs([]encconfig.CryptoConfig{ecc})
+		encConfig = cc.EncryptConfig
+	}
+
+	if len(opts.decryptionKeys) > 0 {
+		// decryption
+		decryptionKeys := opts.decryptionKeys
+		dcc, err := enchelpers.CreateCryptoConfig([]string{}, decryptionKeys)
+		if err != nil {
+			return fmt.Errorf("Invalid decryption keys: %v", err)
+		}
+		cc := encconfig.CombineCryptoConfigs([]encconfig.CryptoConfig{dcc})
+		decConfig = cc.DecryptConfig
+	}
+
+	passphrase, err := cli.ReadPassphraseFile(opts.signPassphraseFile)
+	if err != nil {
+		return err
+	}
+
+	return retry.RetryIfNecessary(ctx, func() error {
+		manifestBytes, err := copy.Image(ctx, policyContext, destRef, srcRef, &copy.Options{
+			RemoveSignatures:      opts.removeSignatures,
+			SignBy:                opts.signByFingerprint,
+			SignPassphrase:        passphrase,
+			ReportWriter:          stdout,
+			SourceCtx:             sourceCtx,
+			DestinationCtx:        destinationCtx,
+			ForceManifestMIMEType: manifestType,
+			ImageListSelection:    imageListSelection,
+			PreserveDigests:       opts.preserveDigests,
+			OciDecryptConfig:      decConfig,
+			OciEncryptLayers:      encLayers,
+			OciEncryptConfig:      encConfig,
+		})
+		if err != nil {
+			return err
+		}
+		if opts.digestFile != "" {
+			manifestDigest, err := manifest.Digest(manifestBytes)
+			if err != nil {
+				return err
+			}
+			if err = ioutil.WriteFile(opts.digestFile, []byte(manifestDigest.String()), 0644); err != nil {
+				return fmt.Errorf("Failed to write digest to file %q: %w", opts.digestFile, err)
+			}
+		}
+		return nil
+	}, opts.retryOpts)
+}

cmd/skopeo/delete.go

@@ -0,0 +1,75 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/containers/common/pkg/retry"
+	"github.com/containers/image/v5/transports"
+	"github.com/containers/image/v5/transports/alltransports"
+	"github.com/spf13/cobra"
+)
+
+type deleteOptions struct {
+	global    *globalOptions
+	image     *imageOptions
+	retryOpts *retry.RetryOptions
+}
+
+func deleteCmd(global *globalOptions) *cobra.Command {
+	sharedFlags, sharedOpts := sharedImageFlags()
+	imageFlags, imageOpts := imageFlags(global, sharedOpts, nil, "", "")
+	retryFlags, retryOpts := retryFlags()
+	opts := deleteOptions{
+		global:    global,
+		image:     imageOpts,
+		retryOpts: retryOpts,
+	}
+	cmd := &cobra.Command{
+		Use:   "delete [command options] IMAGE-NAME",
+		Short: "Delete image IMAGE-NAME",
+		Long: fmt.Sprintf(`Delete an "IMAGE_NAME" from a transport
+Supported transports:
+%s
+See skopeo(1) section "IMAGE NAMES" for the expected format
+`, strings.Join(transports.ListNames(), ", ")),
+		RunE:    commandAction(opts.run),
+		Example: `skopeo delete docker://registry.example.com/example/pause:latest`,
+	}
+	adjustUsage(cmd)
+	flags := cmd.Flags()
+	flags.AddFlagSet(&sharedFlags)
+	flags.AddFlagSet(&imageFlags)
+	flags.AddFlagSet(&retryFlags)
+	return cmd
+}
+
+func (opts *deleteOptions) run(args []string, stdout io.Writer) error {
+	if len(args) != 1 {
+		return errors.New("Usage: delete imageReference")
+	}
+	imageName := args[0]
+
+	if err := reexecIfNecessaryForImages(imageName); err != nil {
+		return err
+	}
+
+	ref, err := alltransports.ParseImageName(imageName)
+	if err != nil {
+		return fmt.Errorf("Invalid source name %s: %v", imageName, err)
+	}
+
+	sys, err := opts.image.newSystemContext()
+	if err != nil {
+		return err
+	}
+
+	ctx, cancel := opts.global.commandTimeoutContext()
+	defer cancel()
+
+	return retry.RetryIfNecessary(ctx, func() error {
+		return ref.DeleteImage(ctx, sys)
+	}, opts.retryOpts)
+}

cmd/skopeo/fixtures/.gitignore

@@ -0,0 +1,4 @@
+/*.gpg~
+/.gpg-v21-migrated
+/private-keys-v1.d
+/random_seed

cmd/skopeo/fixtures/image.manifest.json

@@ -0,0 +1,26 @@
+{
+    "schemaVersion": 2,
+    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+    "config": {
+        "mediaType": "application/vnd.docker.container.image.v1+json",
+        "size": 7023,
+        "digest": "sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7"
+    },
+    "layers": [
+        {
+            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "size": 32654,
+            "digest": "sha256:e692418e4cbaf90ca69d05a66403747baa33ee08806650b51fab815ad7fc331f"
+        },
+        {
+            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "size": 16724,
+            "digest": "sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b"
+        },
+        {
+            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "size": 73109,
+            "digest": "sha256:ec4b8955958665577945c89419d1af06b5f7636b4ac3da7f12184802ad867736"
+        }
+    ]
+}

cmd/skopeo/fixtures/v2s1-invalid-signatures.manifest.json

@@ -0,0 +1,11 @@
+{
+   "schemaVersion": 1,
+   "name": "mitr/buxybox",
+   "tag": "latest",
+   "architecture": "amd64",
+   "fsLayers": [
+   ],
+   "history": [
+   ],
+   "signatures": 1
+}

cmd/skopeo/inspect.go

@@ -0,0 +1,234 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+	"text/tabwriter"
+	"text/template"
+
+	"github.com/containers/common/pkg/report"
+	"github.com/containers/common/pkg/retry"
+	"github.com/containers/image/v5/docker"
+	"github.com/containers/image/v5/image"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/transports"
+	"github.com/containers/image/v5/types"
+	"github.com/containers/skopeo/cmd/skopeo/inspect"
+	v1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+type inspectOptions struct {
+	global        *globalOptions
+	image         *imageOptions
+	retryOpts     *retry.RetryOptions
+	format        string
+	raw           bool // Output the raw manifest instead of parsing information about the image
+	config        bool // Output the raw config blob instead of parsing information about the image
+	doNotListTags bool // Do not list all tags available in the same repository
+}
+
+func inspectCmd(global *globalOptions) *cobra.Command {
+	sharedFlags, sharedOpts := sharedImageFlags()
+	imageFlags, imageOpts := imageFlags(global, sharedOpts, nil, "", "")
+	retryFlags, retryOpts := retryFlags()
+	opts := inspectOptions{
+		global:    global,
+		image:     imageOpts,
+		retryOpts: retryOpts,
+	}
+	cmd := &cobra.Command{
+		Use:   "inspect [command options] IMAGE-NAME",
+		Short: "Inspect image IMAGE-NAME",
+		Long: fmt.Sprintf(`Return low-level information about "IMAGE-NAME" in a registry/transport
+Supported transports:
+%s
+
+See skopeo(1) section "IMAGE NAMES" for the expected format
+`, strings.Join(transports.ListNames(), ", ")),
+		RunE: commandAction(opts.run),
+		Example: `skopeo inspect docker://registry.fedoraproject.org/fedora
+  skopeo inspect --config docker://docker.io/alpine
+  skopeo inspect  --format "Name: {{.Name}} Digest: {{.Digest}}" docker://registry.access.redhat.com/ubi8`,
+	}
+	adjustUsage(cmd)
+	flags := cmd.Flags()
+	flags.BoolVar(&opts.raw, "raw", false, "output raw manifest or configuration")
+	flags.BoolVar(&opts.config, "config", false, "output configuration")
+	flags.StringVarP(&opts.format, "format", "f", "", "Format the output to a Go template")
+	flags.BoolVarP(&opts.doNotListTags, "no-tags", "n", false, "Do not list the available tags from the repository in the output")
+	flags.AddFlagSet(&sharedFlags)
+	flags.AddFlagSet(&imageFlags)
+	flags.AddFlagSet(&retryFlags)
+	return cmd
+}
+
+func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error) {
+	var (
+		rawManifest []byte
+		src         types.ImageSource
+		imgInspect  *types.ImageInspectInfo
+		data        []interface{}
+	)
+	ctx, cancel := opts.global.commandTimeoutContext()
+	defer cancel()
+
+	if len(args) != 1 {
+		return errors.New("Exactly one argument expected")
+	}
+	if opts.raw && opts.format != "" {
+		return errors.New("raw output does not support format option")
+	}
+	imageName := args[0]
+
+	if err := reexecIfNecessaryForImages(imageName); err != nil {
+		return err
+	}
+
+	sys, err := opts.image.newSystemContext()
+	if err != nil {
+		return err
+	}
+
+	if err := retry.RetryIfNecessary(ctx, func() error {
+		src, err = parseImageSource(ctx, opts.image, imageName)
+		return err
+	}, opts.retryOpts); err != nil {
+		return errors.Wrapf(err, "Error parsing image name %q", imageName)
+	}
+
+	defer func() {
+		if err := src.Close(); err != nil {
+			retErr = errors.Wrapf(retErr, fmt.Sprintf("(could not close image: %v) ", err))
+		}
+	}()
+
+	if err := retry.RetryIfNecessary(ctx, func() error {
+		rawManifest, _, err = src.GetManifest(ctx, nil)
+		return err
+	}, opts.retryOpts); err != nil {
+		return errors.Wrapf(err, "Error retrieving manifest for image")
+	}
+
+	if opts.raw && !opts.config {
+		_, err := stdout.Write(rawManifest)
+		if err != nil {
+			return fmt.Errorf("Error writing manifest to standard output: %v", err)
+		}
+
+		return nil
+	}
+
+	img, err := image.FromUnparsedImage(ctx, sys, image.UnparsedInstance(src, nil))
+	if err != nil {
+		return errors.Wrapf(err, "Error parsing manifest for image")
+	}
+
+	if opts.config && opts.raw {
+		var configBlob []byte
+		if err := retry.RetryIfNecessary(ctx, func() error {
+			configBlob, err = img.ConfigBlob(ctx)
+			return err
+		}, opts.retryOpts); err != nil {
+			return errors.Wrapf(err, "Error reading configuration blob")
+		}
+		_, err = stdout.Write(configBlob)
+		if err != nil {
+			return errors.Wrapf(err, "Error writing configuration blob to standard output")
+		}
+		return nil
+	} else if opts.config {
+		var config *v1.Image
+		if err := retry.RetryIfNecessary(ctx, func() error {
+			config, err = img.OCIConfig(ctx)
+			return err
+		}, opts.retryOpts); err != nil {
+			return errors.Wrapf(err, "Error reading OCI-formatted configuration data")
+		}
+		if report.IsJSON(opts.format) || opts.format == "" {
+			var out []byte
+			out, err = json.MarshalIndent(config, "", "    ")
+			if err == nil {
+				fmt.Fprintf(stdout, "%s\n", string(out))
+			}
+		} else {
+			row := "{{range . }}" + report.NormalizeFormat(opts.format) + "{{end}}"
+			data = append(data, config)
+			err = printTmpl(row, data)
+		}
+		if err != nil {
+			return errors.Wrapf(err, "Error writing OCI-formatted configuration data to standard output")
+		}
+		return nil
+	}
+
+	if err := retry.RetryIfNecessary(ctx, func() error {
+		imgInspect, err = img.Inspect(ctx)
+		return err
+	}, opts.retryOpts); err != nil {
+		return err
+	}
+
+	outputData := inspect.Output{
+		Name: "", // Set below if DockerReference() is known
+		Tag:  imgInspect.Tag,
+		// Digest is set below.
+		RepoTags:      []string{}, // Possibly overridden for docker.Transport.
+		Created:       imgInspect.Created,
+		DockerVersion: imgInspect.DockerVersion,
+		Labels:        imgInspect.Labels,
+		Architecture:  imgInspect.Architecture,
+		Os:            imgInspect.Os,
+		Layers:        imgInspect.Layers,
+		Env:           imgInspect.Env,
+	}
+	outputData.Digest, err = manifest.Digest(rawManifest)
+	if err != nil {
+		return errors.Wrapf(err, "Error computing manifest digest")
+	}
+	if dockerRef := img.Reference().DockerReference(); dockerRef != nil {
+		outputData.Name = dockerRef.Name()
+	}
+	if !opts.doNotListTags && img.Reference().Transport() == docker.Transport {
+		sys, err := opts.image.newSystemContext()
+		if err != nil {
+			return err
+		}
+		outputData.RepoTags, err = docker.GetRepositoryTags(ctx, sys, img.Reference())
+		if err != nil {
+			// some registries may decide to block the "list all tags" endpoint
+			// gracefully allow the inspect to continue in this case. Currently
+			// the IBM Bluemix container registry has this restriction.
+			// In addition, AWS ECR rejects it with 403 (Forbidden) if the "ecr:ListImages"
+			// action is not allowed.
+			if !strings.Contains(err.Error(), "401") && !strings.Contains(err.Error(), "403") {
+				return errors.Wrapf(err, "Error determining repository tags")
+			}
+			logrus.Warnf("Registry disallows tag list retrieval; skipping")
+		}
+	}
+	if report.IsJSON(opts.format) || opts.format == "" {
+		out, err := json.MarshalIndent(outputData, "", "    ")
+		if err == nil {
+			fmt.Fprintf(stdout, "%s\n", string(out))
+		}
+		return err
+	}
+	row := "{{range . }}" + report.NormalizeFormat(opts.format) + "{{end}}"
+	data = append(data, outputData)
+	return printTmpl(row, data)
+}
+
+func printTmpl(row string, data []interface{}) error {
+	t, err := template.New("skopeo inspect").Parse(row)
+	if err != nil {
+		return err
+	}
+	w := tabwriter.NewWriter(os.Stdout, 8, 2, 2, ' ', 0)
+	return t.Execute(w, data)
+}

cmd/skopeo/inspect/output.go

@@ -0,0 +1,23 @@
+package inspect
+
+import (
+	"time"
+
+	digest "github.com/opencontainers/go-digest"
+)
+
+// Output is the output format of (skopeo inspect),
+// primarily so that we can format it with a simple json.MarshalIndent.
+type Output struct {
+	Name          string `json:",omitempty"`
+	Tag           string `json:",omitempty"`
+	Digest        digest.Digest
+	RepoTags      []string
+	Created       *time.Time
+	DockerVersion string
+	Labels        map[string]string
+	Architecture  string
+	Os            string
+	Layers        []string
+	Env           []string
+}

cmd/skopeo/layers.go

@@ -0,0 +1,175 @@
+package main
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"strings"
+
+	"github.com/containers/common/pkg/retry"
+	"github.com/containers/image/v5/directory"
+	"github.com/containers/image/v5/image"
+	"github.com/containers/image/v5/pkg/blobinfocache"
+	"github.com/containers/image/v5/types"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type layersOptions struct {
+	global    *globalOptions
+	image     *imageOptions
+	retryOpts *retry.RetryOptions
+}
+
+func layersCmd(global *globalOptions) *cobra.Command {
+	sharedFlags, sharedOpts := sharedImageFlags()
+	imageFlags, imageOpts := imageFlags(global, sharedOpts, nil, "", "")
+	retryFlags, retryOpts := retryFlags()
+	opts := layersOptions{
+		global:    global,
+		image:     imageOpts,
+		retryOpts: retryOpts,
+	}
+	cmd := &cobra.Command{
+		Hidden: true,
+		Use:    "layers [command options] IMAGE-NAME [LAYER...]",
+		Short:  "Get layers of IMAGE-NAME",
+		RunE:   commandAction(opts.run),
+	}
+	adjustUsage(cmd)
+	flags := cmd.Flags()
+	flags.AddFlagSet(&sharedFlags)
+	flags.AddFlagSet(&imageFlags)
+	flags.AddFlagSet(&retryFlags)
+	return cmd
+}
+
+func (opts *layersOptions) run(args []string, stdout io.Writer) (retErr error) {
+	fmt.Fprintln(os.Stderr, `DEPRECATED: skopeo layers is deprecated in favor of skopeo copy`)
+	if len(args) == 0 {
+		return errors.New("Usage: layers imageReference [layer...]")
+	}
+	imageName := args[0]
+
+	if err := reexecIfNecessaryForImages(imageName); err != nil {
+		return err
+	}
+
+	ctx, cancel := opts.global.commandTimeoutContext()
+	defer cancel()
+
+	sys, err := opts.image.newSystemContext()
+	if err != nil {
+		return err
+	}
+	cache := blobinfocache.DefaultCache(sys)
+	var (
+		rawSource types.ImageSource
+		src       types.ImageCloser
+	)
+	if err = retry.RetryIfNecessary(ctx, func() error {
+		rawSource, err = parseImageSource(ctx, opts.image, imageName)
+		return err
+	}, opts.retryOpts); err != nil {
+		return err
+	}
+	if err = retry.RetryIfNecessary(ctx, func() error {
+		src, err = image.FromSource(ctx, sys, rawSource)
+		return err
+	}, opts.retryOpts); err != nil {
+		if closeErr := rawSource.Close(); closeErr != nil {
+			return errors.Wrapf(err, " (close error: %v)", closeErr)
+		}
+
+		return err
+	}
+	defer func() {
+		if err := src.Close(); err != nil {
+			retErr = errors.Wrapf(retErr, " (close error: %v)", err)
+		}
+	}()
+
+	type blobDigest struct {
+		digest   digest.Digest
+		isConfig bool
+	}
+	var blobDigests []blobDigest
+	for _, dString := range args[1:] {
+		if !strings.HasPrefix(dString, "sha256:") {
+			dString = "sha256:" + dString
+		}
+		d, err := digest.Parse(dString)
+		if err != nil {
+			return err
+		}
+		blobDigests = append(blobDigests, blobDigest{digest: d, isConfig: false})
+	}
+
+	if len(blobDigests) == 0 {
+		layers := src.LayerInfos()
+		seenLayers := map[digest.Digest]struct{}{}
+		for _, info := range layers {
+			if _, ok := seenLayers[info.Digest]; !ok {
+				blobDigests = append(blobDigests, blobDigest{digest: info.Digest, isConfig: false})
+				seenLayers[info.Digest] = struct{}{}
+			}
+		}
+		configInfo := src.ConfigInfo()
+		if configInfo.Digest != "" {
+			blobDigests = append(blobDigests, blobDigest{digest: configInfo.Digest, isConfig: true})
+		}
+	}
+
+	tmpDir, err := ioutil.TempDir(".", "layers-")
+	if err != nil {
+		return err
+	}
+	tmpDirRef, err := directory.NewReference(tmpDir)
+	if err != nil {
+		return err
+	}
+	dest, err := tmpDirRef.NewImageDestination(ctx, nil)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		if err := dest.Close(); err != nil {
+			retErr = errors.Wrapf(retErr, " (close error: %v)", err)
+		}
+	}()
+
+	for _, bd := range blobDigests {
+		var (
+			r        io.ReadCloser
+			blobSize int64
+		)
+		if err = retry.RetryIfNecessary(ctx, func() error {
+			r, blobSize, err = rawSource.GetBlob(ctx, types.BlobInfo{Digest: bd.digest, Size: -1}, cache)
+			return err
+		}, opts.retryOpts); err != nil {
+			return err
+		}
+		if _, err := dest.PutBlob(ctx, r, types.BlobInfo{Digest: bd.digest, Size: blobSize}, cache, bd.isConfig); err != nil {
+			if closeErr := r.Close(); closeErr != nil {
+				return errors.Wrapf(err, " (close error: %v)", closeErr)
+			}
+			return err
+		}
+	}
+
+	var manifest []byte
+	if err = retry.RetryIfNecessary(ctx, func() error {
+		manifest, _, err = src.Manifest(ctx)
+		return err
+	}, opts.retryOpts); err != nil {
+		return err
+	}
+	if err := dest.PutManifest(ctx, manifest, nil); err != nil {
+		return err
+	}
+
+	return dest.Commit(ctx, image.UnparsedInstance(rawSource, nil))
+}

cmd/skopeo/list_tags.go

@@ -0,0 +1,147 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/containers/common/pkg/retry"
+	"github.com/containers/image/v5/docker"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/transports/alltransports"
+	"github.com/containers/image/v5/types"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+// tagListOutput is the output format of (skopeo list-tags), primarily so that we can format it with a simple json.MarshalIndent.
+type tagListOutput struct {
+	Repository string
+	Tags       []string
+}
+
+type tagsOptions struct {
+	global    *globalOptions
+	image     *imageOptions
+	retryOpts *retry.RetryOptions
+}
+
+func tagsCmd(global *globalOptions) *cobra.Command {
+	sharedFlags, sharedOpts := sharedImageFlags()
+	imageFlags, imageOpts := dockerImageFlags(global, sharedOpts, nil, "", "")
+	retryFlags, retryOpts := retryFlags()
+
+	opts := tagsOptions{
+		global:    global,
+		image:     imageOpts,
+		retryOpts: retryOpts,
+	}
+	cmd := &cobra.Command{
+		Use:   "list-tags [command options] REPOSITORY-NAME",
+		Short: "List tags in the transport/repository specified by the REPOSITORY-NAME",
+		Long: `Return the list of tags from the transport/repository "REPOSITORY-NAME"
+
+Supported transports:
+docker
+
+See skopeo-list-tags(1) section "REPOSITORY NAMES" for the expected format
+`,
+		RunE:    commandAction(opts.run),
+		Example: `skopeo list-tags docker://docker.io/fedora`,
+	}
+	adjustUsage(cmd)
+	flags := cmd.Flags()
+	flags.AddFlagSet(&sharedFlags)
+	flags.AddFlagSet(&imageFlags)
+	flags.AddFlagSet(&retryFlags)
+	return cmd
+}
+
+// Customized version of the alltransports.ParseImageName and docker.ParseReference that does not place a default tag in the reference
+// Would really love to not have this, but needed to enforce tag-less and digest-less names
+func parseDockerRepositoryReference(refString string) (types.ImageReference, error) {
+	if !strings.HasPrefix(refString, docker.Transport.Name()+"://") {
+		return nil, errors.Errorf("docker: image reference %s does not start with %s://", refString, docker.Transport.Name())
+	}
+
+	parts := strings.SplitN(refString, ":", 2)
+	if len(parts) != 2 {
+		return nil, errors.Errorf(`Invalid image name "%s", expected colon-separated transport:reference`, refString)
+	}
+
+	ref, err := reference.ParseNormalizedNamed(strings.TrimPrefix(parts[1], "//"))
+	if err != nil {
+		return nil, err
+	}
+
+	if !reference.IsNameOnly(ref) {
+		return nil, errors.New(`No tag or digest allowed in reference`)
+	}
+
+	// Checks ok, now return a reference. This is a hack because the tag listing code expects a full image reference even though the tag is ignored
+	return docker.NewReference(reference.TagNameOnly(ref))
+}
+
+// List the tags from a repository contained in the imgRef reference. Any tag value in the reference is ignored
+func listDockerTags(ctx context.Context, sys *types.SystemContext, imgRef types.ImageReference) (string, []string, error) {
+	repositoryName := imgRef.DockerReference().Name()
+
+	tags, err := docker.GetRepositoryTags(ctx, sys, imgRef)
+	if err != nil {
+		return ``, nil, fmt.Errorf("Error listing repository tags: %v", err)
+	}
+	return repositoryName, tags, nil
+}
+
+func (opts *tagsOptions) run(args []string, stdout io.Writer) (retErr error) {
+	ctx, cancel := opts.global.commandTimeoutContext()
+	defer cancel()
+
+	if len(args) != 1 {
+		return errorShouldDisplayUsage{errors.New("Exactly one non-option argument expected")}
+	}
+
+	sys, err := opts.image.newSystemContext()
+	if err != nil {
+		return err
+	}
+
+	transport := alltransports.TransportFromImageName(args[0])
+	if transport == nil {
+		return fmt.Errorf("Invalid %q: does not specify a transport", args[0])
+	}
+
+	if transport.Name() != docker.Transport.Name() {
+		return fmt.Errorf("Unsupported transport '%v' for tag listing. Only '%v' currently supported", transport.Name(), docker.Transport.Name())
+	}
+
+	// Do transport-specific parsing and validation to get an image reference
+	imgRef, err := parseDockerRepositoryReference(args[0])
+	if err != nil {
+		return err
+	}
+
+	var repositoryName string
+	var tagListing []string
+	if err = retry.RetryIfNecessary(ctx, func() error {
+		repositoryName, tagListing, err = listDockerTags(ctx, sys, imgRef)
+		return err
+	}, opts.retryOpts); err != nil {
+		return err
+	}
+
+	outputData := tagListOutput{
+		Repository: repositoryName,
+		Tags:       tagListing,
+	}
+
+	out, err := json.MarshalIndent(outputData, "", "    ")
+	if err != nil {
+		return err
+	}
+	_, err = fmt.Fprintf(stdout, "%s\n", string(out))
+
+	return err
+}

cmd/skopeo/list_tags_test.go

@@ -0,0 +1,58 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/containers/image/v5/transports/alltransports"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// Tests the kinds of inputs allowed and expected to the command
+func TestDockerRepositoryReferenceParser(t *testing.T) {
+	for _, test := range [][]string{
+		{"docker://myhost.com:1000/nginx"}, //no tag
+		{"docker://myhost.com/nginx"},      //no port or tag
+		{"docker://somehost.com"},          // Valid default expansion
+		{"docker://nginx"},                 // Valid default expansion
+	} {
+
+		ref, err := parseDockerRepositoryReference(test[0])
+		require.NoError(t, err)
+		expected, err := alltransports.ParseImageName(test[0])
+		require.NoError(t, err)
+		assert.Equal(t, expected.DockerReference().Name(), ref.DockerReference().Name(), "Mismatched parse result for input %v", test[0])
+	}
+
+	for _, test := range [][]string{
+		{"oci://somedir"},
+		{"dir:/somepath"},
+		{"docker-archive:/tmp/dir"},
+		{"container-storage:myhost.com/someimage"},
+		{"docker-daemon:myhost.com/someimage"},
+		{"docker://myhost.com:1000/nginx:foobar:foobar"},           // Invalid repository ref
+		{"docker://somehost.com:5000/"},                            // no repo
+		{"docker://myhost.com:1000/nginx:latest"},                  //tag not allowed
+		{"docker://myhost.com:1000/nginx@sha256:abcdef1234567890"}, //digest not allowed
+	} {
+		_, err := parseDockerRepositoryReference(test[0])
+		assert.Error(t, err, test[0])
+	}
+}
+
+func TestDockerRepositoryReferenceParserDrift(t *testing.T) {
+	for _, test := range [][]string{
+		{"docker://myhost.com:1000/nginx", "myhost.com:1000/nginx"}, //no tag
+		{"docker://myhost.com/nginx", "myhost.com/nginx"},           //no port or tag
+		{"docker://somehost.com", "docker.io/library/somehost.com"}, // Valid default expansion
+		{"docker://nginx", "docker.io/library/nginx"},               // Valid default expansion
+	} {
+
+		ref, err := parseDockerRepositoryReference(test[0])
+		ref2, err2 := alltransports.ParseImageName(test[0])
+
+		if assert.NoError(t, err, "Could not parse, got error on %v", test[0]) && assert.NoError(t, err2, "Could not parse with regular parser, got error on %v", test[0]) {
+			assert.Equal(t, ref.DockerReference().String(), ref2.DockerReference().String(), "Different parsing output for input %v. Repo parse = %v, regular parser = %v", test[0], ref, ref2)
+		}
+	}
+}

cmd/skopeo/login.go

@@ -0,0 +1,48 @@
+package main
+
+import (
+	"io"
+	"os"
+
+	"github.com/containers/common/pkg/auth"
+	commonFlag "github.com/containers/common/pkg/flag"
+	"github.com/containers/image/v5/types"
+	"github.com/spf13/cobra"
+)
+
+type loginOptions struct {
+	global    *globalOptions
+	loginOpts auth.LoginOptions
+	tlsVerify commonFlag.OptionalBool
+}
+
+func loginCmd(global *globalOptions) *cobra.Command {
+	opts := loginOptions{
+		global: global,
+	}
+	cmd := &cobra.Command{
+		Use:     "login [command options] REGISTRY",
+		Short:   "Login to a container registry",
+		Long:    "Login to a container registry on a specified server.",
+		RunE:    commandAction(opts.run),
+		Example: `skopeo login quay.io`,
+	}
+	adjustUsage(cmd)
+	flags := cmd.Flags()
+	commonFlag.OptionalBoolFlag(flags, &opts.tlsVerify, "tls-verify", "require HTTPS and verify certificates when accessing the registry")
+	flags.AddFlagSet(auth.GetLoginFlags(&opts.loginOpts))
+	return cmd
+}
+
+func (opts *loginOptions) run(args []string, stdout io.Writer) error {
+	ctx, cancel := opts.global.commandTimeoutContext()
+	defer cancel()
+	opts.loginOpts.Stdout = stdout
+	opts.loginOpts.Stdin = os.Stdin
+	opts.loginOpts.AcceptRepositories = true
+	sys := opts.global.newSystemContext()
+	if opts.tlsVerify.Present() {
+		sys.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.tlsVerify.Value())
+	}
+	return auth.Login(ctx, sys, &opts.loginOpts, args)
+}

cmd/skopeo/logout.go

@@ -0,0 +1,44 @@
+package main
+
+import (
+	"io"
+
+	"github.com/containers/common/pkg/auth"
+	commonFlag "github.com/containers/common/pkg/flag"
+	"github.com/containers/image/v5/types"
+	"github.com/spf13/cobra"
+)
+
+type logoutOptions struct {
+	global     *globalOptions
+	logoutOpts auth.LogoutOptions
+	tlsVerify  commonFlag.OptionalBool
+}
+
+func logoutCmd(global *globalOptions) *cobra.Command {
+	opts := logoutOptions{
+		global: global,
+	}
+	cmd := &cobra.Command{
+		Use:     "logout [command options] REGISTRY",
+		Short:   "Logout of a container registry",
+		Long:    "Logout of a container registry on a specified server.",
+		RunE:    commandAction(opts.run),
+		Example: `skopeo logout quay.io`,
+	}
+	adjustUsage(cmd)
+	flags := cmd.Flags()
+	commonFlag.OptionalBoolFlag(flags, &opts.tlsVerify, "tls-verify", "require HTTPS and verify certificates when accessing the registry")
+	flags.AddFlagSet(auth.GetLogoutFlags(&opts.logoutOpts))
+	return cmd
+}
+
+func (opts *logoutOptions) run(args []string, stdout io.Writer) error {
+	opts.logoutOpts.Stdout = stdout
+	opts.logoutOpts.AcceptRepositories = true
+	sys := opts.global.newSystemContext()
+	if opts.tlsVerify.Present() {
+		sys.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.tlsVerify.Value())
+	}
+	return auth.Logout(sys, &opts.logoutOpts, args)
+}

cmd/skopeo/main.go

@@ -0,0 +1,185 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	commonFlag "github.com/containers/common/pkg/flag"
+	"github.com/containers/image/v5/signature"
+	"github.com/containers/image/v5/types"
+	"github.com/containers/skopeo/version"
+	"github.com/containers/storage/pkg/reexec"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+// gitCommit will be the hash that the binary was built from
+// and will be populated by the Makefile
+var gitCommit = ""
+
+var defaultUserAgent = "skopeo/" + version.Version
+
+type globalOptions struct {
+	debug              bool                    // Enable debug output
+	tlsVerify          commonFlag.OptionalBool // Require HTTPS and verify certificates (for docker: and docker-daemon:)
+	policyPath         string                  // Path to a signature verification policy file
+	insecurePolicy     bool                    // Use an "allow everything" signature verification policy
+	registriesDirPath  string                  // Path to a "registries.d" registry configuration directory
+	overrideArch       string                  // Architecture to use for choosing images, instead of the runtime one
+	overrideOS         string                  // OS to use for choosing images, instead of the runtime one
+	overrideVariant    string                  // Architecture variant to use for choosing images, instead of the runtime one
+	commandTimeout     time.Duration           // Timeout for the command execution
+	registriesConfPath string                  // Path to the "registries.conf" file
+	tmpDir             string                  // Path to use for big temporary files
+}
+
+// requireSubcommand returns an error if no sub command is provided
+// This was copied from podman: `github.com/containers/podman/cmd/podman/validate/args.go
+// Some small style changes to match skopeo were applied, but try to apply any
+// bugfixes there first.
+func requireSubcommand(cmd *cobra.Command, args []string) error {
+	if len(args) > 0 {
+		suggestions := cmd.SuggestionsFor(args[0])
+		if len(suggestions) == 0 {
+			return fmt.Errorf("Unrecognized command `%[1]s %[2]s`\nTry '%[1]s --help' for more information", cmd.CommandPath(), args[0])
+		}
+		return fmt.Errorf("Unrecognized command `%[1]s %[2]s`\n\nDid you mean this?\n\t%[3]s\n\nTry '%[1]s --help' for more information", cmd.CommandPath(), args[0], strings.Join(suggestions, "\n\t"))
+	}
+	return fmt.Errorf("Missing command '%[1]s COMMAND'\nTry '%[1]s --help' for more information", cmd.CommandPath())
+}
+
+// createApp returns a cobra.Command, and the underlying globalOptions object, to be run or tested.
+func createApp() (*cobra.Command, *globalOptions) {
+	opts := globalOptions{}
+
+	rootCommand := &cobra.Command{
+		Use:  "skopeo",
+		Long: "Various operations with container images and container image registries",
+		RunE: requireSubcommand,
+		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
+			return opts.before(cmd)
+		},
+		SilenceUsage:  true,
+		SilenceErrors: true,
+		// Currently, skopeo uses manually written completions.  Cobra allows
+		// for auto-generating completions for various shells.  Podman is
+		// already making us of that.  If Skopeo decides to follow, please
+		// remove the line below (and hide the `completion` command).
+		CompletionOptions: cobra.CompletionOptions{DisableDefaultCmd: true},
+		// This is documented to parse "local" (non-PersistentFlags) flags of parent commands before
+		// running subcommands and handling their options. We don't really run into such cases,
+		// because all of our flags on rootCommand are in PersistentFlags, except for the deprecated --tls-verify;
+		// in that case we need TraverseChildren so that we can distinguish between
+		// (skopeo --tls-verify inspect) (causes a warning) and (skopeo inspect --tls-verify) (no warning).
+		TraverseChildren: true,
+	}
+	if gitCommit != "" {
+		rootCommand.Version = fmt.Sprintf("%s commit: %s", version.Version, gitCommit)
+	} else {
+		rootCommand.Version = version.Version
+	}
+	// Override default `--version` global flag to enable `-v` shorthand
+	var dummyVersion bool
+	rootCommand.Flags().BoolVarP(&dummyVersion, "version", "v", false, "Version for Skopeo")
+	rootCommand.PersistentFlags().BoolVar(&opts.debug, "debug", false, "enable debug output")
+	rootCommand.PersistentFlags().StringVar(&opts.policyPath, "policy", "", "Path to a trust policy file")
+	rootCommand.PersistentFlags().BoolVar(&opts.insecurePolicy, "insecure-policy", false, "run the tool without any policy check")
+	rootCommand.PersistentFlags().StringVar(&opts.registriesDirPath, "registries.d", "", "use registry configuration files in `DIR` (e.g. for container signature storage)")
+	rootCommand.PersistentFlags().StringVar(&opts.overrideArch, "override-arch", "", "use `ARCH` instead of the architecture of the machine for choosing images")
+	rootCommand.PersistentFlags().StringVar(&opts.overrideOS, "override-os", "", "use `OS` instead of the running OS for choosing images")
+	rootCommand.PersistentFlags().StringVar(&opts.overrideVariant, "override-variant", "", "use `VARIANT` instead of the running architecture variant for choosing images")
+	rootCommand.PersistentFlags().DurationVar(&opts.commandTimeout, "command-timeout", 0, "timeout for the command execution")
+	rootCommand.PersistentFlags().StringVar(&opts.registriesConfPath, "registries-conf", "", "path to the registries.conf file")
+	if err := rootCommand.PersistentFlags().MarkHidden("registries-conf"); err != nil {
+		logrus.Fatal("unable to mark registries-conf flag as hidden")
+	}
+	rootCommand.PersistentFlags().StringVar(&opts.tmpDir, "tmpdir", "", "directory used to store temporary files")
+	flag := commonFlag.OptionalBoolFlag(rootCommand.Flags(), &opts.tlsVerify, "tls-verify", "Require HTTPS and verify certificates when accessing the registry")
+	flag.Hidden = true
+	rootCommand.AddCommand(
+		copyCmd(&opts),
+		deleteCmd(&opts),
+		inspectCmd(&opts),
+		layersCmd(&opts),
+		loginCmd(&opts),
+		logoutCmd(&opts),
+		manifestDigestCmd(),
+		proxyCmd(&opts),
+		syncCmd(&opts),
+		standaloneSignCmd(),
+		standaloneVerifyCmd(),
+		tagsCmd(&opts),
+		untrustedSignatureDumpCmd(),
+	)
+	return rootCommand, &opts
+}
+
+// before is run by the cli package for any command, before running the command-specific handler.
+func (opts *globalOptions) before(cmd *cobra.Command) error {
+	if opts.debug {
+		logrus.SetLevel(logrus.DebugLevel)
+	}
+	if opts.tlsVerify.Present() {
+		logrus.Warn("'--tls-verify' is deprecated, please set this on the specific subcommand")
+	}
+	return nil
+}
+
+func main() {
+	if reexec.Init() {
+		return
+	}
+	rootCmd, _ := createApp()
+	if err := rootCmd.Execute(); err != nil {
+		logrus.Fatal(err)
+	}
+}
+
+// getPolicyContext returns a *signature.PolicyContext based on opts.
+func (opts *globalOptions) getPolicyContext() (*signature.PolicyContext, error) {
+	var policy *signature.Policy // This could be cached across calls in opts.
+	var err error
+	if opts.insecurePolicy {
+		policy = &signature.Policy{Default: []signature.PolicyRequirement{signature.NewPRInsecureAcceptAnything()}}
+	} else if opts.policyPath == "" {
+		policy, err = signature.DefaultPolicy(nil)
+	} else {
+		policy, err = signature.NewPolicyFromFile(opts.policyPath)
+	}
+	if err != nil {
+		return nil, err
+	}
+	return signature.NewPolicyContext(policy)
+}
+
+// commandTimeoutContext returns a context.Context and a cancellation callback based on opts.
+// The caller should usually "defer cancel()" immediately after calling this.
+func (opts *globalOptions) commandTimeoutContext() (context.Context, context.CancelFunc) {
+	ctx := context.Background()
+	var cancel context.CancelFunc = func() {}
+	if opts.commandTimeout > 0 {
+		ctx, cancel = context.WithTimeout(ctx, opts.commandTimeout)
+	}
+	return ctx, cancel
+}
+
+// newSystemContext returns a *types.SystemContext corresponding to opts.
+// It is guaranteed to return a fresh instance, so it is safe to make additional updates to it.
+func (opts *globalOptions) newSystemContext() *types.SystemContext {
+	ctx := &types.SystemContext{
+		RegistriesDirPath:        opts.registriesDirPath,
+		ArchitectureChoice:       opts.overrideArch,
+		OSChoice:                 opts.overrideOS,
+		VariantChoice:            opts.overrideVariant,
+		SystemRegistriesConfPath: opts.registriesConfPath,
+		BigFilesTemporaryDir:     opts.tmpDir,
+		DockerRegistryUserAgent:  defaultUserAgent,
+	}
+	// DEPRECATED: We support this for backward compatibility, but override it if a per-image flag is provided.
+	if opts.tlsVerify.Present() {
+		ctx.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.tlsVerify.Value())
+	}
+	return ctx
+}

cmd/skopeo/main_test.go

@@ -0,0 +1,51 @@
+package main
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/containers/image/v5/types"
+	"github.com/stretchr/testify/assert"
+)
+
+// runSkopeo creates an app object and runs it with args, with an implied first "skopeo".
+// Returns output intended for stdout and the returned error, if any.
+func runSkopeo(args ...string) (string, error) {
+	app, _ := createApp()
+	stdout := bytes.Buffer{}
+	app.SetOut(&stdout)
+	app.SetArgs(args)
+	err := app.Execute()
+	return stdout.String(), err
+}
+
+func TestGlobalOptionsNewSystemContext(t *testing.T) {
+	// Default state
+	opts, _ := fakeGlobalOptions(t, []string{})
+	res := opts.newSystemContext()
+	assert.Equal(t, &types.SystemContext{
+		// User-Agent is set by default.
+		DockerRegistryUserAgent: defaultUserAgent,
+	}, res)
+	// Set everything to non-default values.
+	opts, _ = fakeGlobalOptions(t, []string{
+		"--registries.d", "/srv/registries.d",
+		"--override-arch", "overridden-arch",
+		"--override-os", "overridden-os",
+		"--override-variant", "overridden-variant",
+		"--tmpdir", "/srv",
+		"--registries-conf", "/srv/registries.conf",
+		"--tls-verify=false",
+	})
+	res = opts.newSystemContext()
+	assert.Equal(t, &types.SystemContext{
+		RegistriesDirPath:           "/srv/registries.d",
+		ArchitectureChoice:          "overridden-arch",
+		OSChoice:                    "overridden-os",
+		VariantChoice:               "overridden-variant",
+		BigFilesTemporaryDir:        "/srv",
+		SystemRegistriesConfPath:    "/srv/registries.conf",
+		DockerInsecureSkipTLSVerify: types.OptionalBoolTrue,
+		DockerRegistryUserAgent:     defaultUserAgent,
+	}, res)
+}

cmd/skopeo/manifest.go

@@ -0,0 +1,44 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+
+	"github.com/containers/image/v5/manifest"
+	"github.com/spf13/cobra"
+)
+
+type manifestDigestOptions struct {
+}
+
+func manifestDigestCmd() *cobra.Command {
+	var opts manifestDigestOptions
+	cmd := &cobra.Command{
+		Use:     "manifest-digest MANIFEST-FILE",
+		Short:   "Compute a manifest digest of a file",
+		RunE:    commandAction(opts.run),
+		Example: "skopeo manifest-digest manifest.json",
+	}
+	adjustUsage(cmd)
+	return cmd
+}
+
+func (opts *manifestDigestOptions) run(args []string, stdout io.Writer) error {
+	if len(args) != 1 {
+		return errors.New("Usage: skopeo manifest-digest manifest")
+	}
+	manifestPath := args[0]
+
+	man, err := ioutil.ReadFile(manifestPath)
+	if err != nil {
+		return fmt.Errorf("Error reading manifest from %s: %v", manifestPath, err)
+	}
+	digest, err := manifest.Digest(man)
+	if err != nil {
+		return fmt.Errorf("Error computing digest: %v", err)
+	}
+	fmt.Fprintf(stdout, "%s\n", digest)
+	return nil
+}

cmd/skopeo/manifest_test.go

@@ -0,0 +1,31 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestManifestDigest(t *testing.T) {
+	// Invalid command-line arguments
+	for _, args := range [][]string{
+		{},
+		{"a1", "a2"},
+	} {
+		out, err := runSkopeo(append([]string{"manifest-digest"}, args...)...)
+		assertTestFailed(t, out, err, "Usage")
+	}
+
+	// Error reading manifest
+	out, err := runSkopeo("manifest-digest", "/this/does/not/exist")
+	assertTestFailed(t, out, err, "/this/does/not/exist")
+
+	// Error computing manifest
+	out, err = runSkopeo("manifest-digest", "fixtures/v2s1-invalid-signatures.manifest.json")
+	assertTestFailed(t, out, err, "computing digest")
+
+	// Success
+	out, err = runSkopeo("manifest-digest", "fixtures/image.manifest.json")
+	assert.NoError(t, err)
+	assert.Equal(t, fixturesTestImageManifestDigest.String()+"\n", out)
+}

cmd/skopeo/proxy.go

@@ -0,0 +1,734 @@
+//go:build !windows
+// +build !windows
+
+package main
+
+/*
+  This code is currently only intended to be used by ostree
+  to fetch content via containers.  The API is subject
+  to change.  A goal however is to stabilize the API
+  eventually as a full out-of-process interface to the
+  core containers/image library functionality.
+
+  To use this command, in a parent process create a
+  `socketpair()` of type `SOCK_SEQPACKET`.  Fork
+  off this command, and pass one half of the socket
+  pair to the child.  Providing it on stdin (fd 0)
+  is the expected default.
+
+  The protocol is JSON for the control layer,
+  and  a read side of a `pipe()` passed for large data.
+
+ Base JSON protocol:
+
+ request: { method: "MethodName": args: [arguments] }
+ reply: { success: bool, value: JSVAL, pipeid: number, error: string }
+
+ For any non-metadata i.e. payload data from `GetManifest`
+ and `GetBlob` the server will pass back the read half of a `pipe(2)` via FD passing,
+ along with a `pipeid` integer.
+
+ The expected flow looks like this:
+
+  - Initialize
+    And validate the returned protocol version versus
+	what your client supports.
+  - OpenImage docker://quay.io/someorg/example:latest
+    (returns an imageid)
+  - GetManifest imageid (and associated <pipeid>)
+  (Streaming read data from pipe)
+  - FinishPipe <pipeid>
+  - GetBlob imageid sha256:...
+  (Streaming read data from pipe)
+  - FinishPipe <pipeid>
+  - GetBlob imageid sha256:...
+  (Streaming read data from pipe)
+  - FinishPipe <pipeid>
+  - CloseImage imageid
+
+ You may interleave invocations of these methods, e.g. one
+ can also invoke `OpenImage` multiple times, as well as
+ starting multiple GetBlob requests before calling `FinishPipe`
+ on them.  The server will stream data into the pipefd
+ until `FinishPipe` is invoked.
+
+ Note that the pipe will not be closed by the server until
+ the client has invoked `FinishPipe`.  This is to ensure
+ that the client checks for errors.  For example, `GetBlob`
+ performs digest (e.g. sha256) verification and this must
+ be checked after all data has been written.
+*/
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"sync"
+	"syscall"
+
+	"github.com/containers/image/v5/image"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/pkg/blobinfocache"
+	"github.com/containers/image/v5/transports/alltransports"
+	"github.com/containers/image/v5/types"
+	"github.com/opencontainers/go-digest"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/spf13/cobra"
+)
+
+// protocolVersion is semantic version of the protocol used by this proxy.
+// The first version of the protocol has major version 0.2 to signify a
+// departure from the original code which used HTTP.
+//
+// 0.2.1: Initial version
+// 0.2.2: Added support for fetching image configuration as OCI
+// 0.2.3: Added GetFullConfig
+const protocolVersion = "0.2.3"
+
+// maxMsgSize is the current limit on a packet size.
+// Note that all non-metadata (i.e. payload data) is sent over a pipe.
+const maxMsgSize = 32 * 1024
+
+// maxJSONFloat is ECMA Number.MAX_SAFE_INTEGER
+// https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/MAX_SAFE_INTEGER
+// We hard error if the input JSON numbers we expect to be
+// integers are above this.
+const maxJSONFloat = float64(1<<53 - 1)
+
+// request is the JSON serialization of a function call
+type request struct {
+	// Method is the name of the function
+	Method string `json:"method"`
+	// Args is the arguments (parsed inside the function)
+	Args []interface{} `json:"args"`
+}
+
+// reply is serialized to JSON as the return value from a function call.
+type reply struct {
+	// Success is true if and only if the call succeeded.
+	Success bool `json:"success"`
+	// Value is an arbitrary value (or values, as array/map) returned from the call.
+	Value interface{} `json:"value"`
+	// PipeID is an index into open pipes, and should be passed to FinishPipe
+	PipeID uint32 `json:"pipeid"`
+	// Error should be non-empty if Success == false
+	Error string `json:"error"`
+}
+
+// replyBuf is our internal deserialization of reply plus optional fd
+type replyBuf struct {
+	// value will be converted to a reply Value
+	value interface{}
+	// fd is the read half of a pipe, passed back to the client
+	fd *os.File
+	// pipeid will be provided to the client as PipeID, an index into our open pipes
+	pipeid uint32
+}
+
+// activePipe is an open pipe to the client.
+// It contains an error value
+type activePipe struct {
+	// w is the write half of the pipe
+	w *os.File
+	// wg is completed when our worker goroutine is done
+	wg sync.WaitGroup
+	// err may be set in our worker goroutine
+	err error
+}
+
+// openImage is an opened image reference
+type openImage struct {
+	// id is an opaque integer handle
+	id        uint32
+	src       types.ImageSource
+	cachedimg types.Image
+}
+
+// proxyHandler is the state associated with our socket.
+type proxyHandler struct {
+	// lock protects everything else in this structure.
+	lock sync.Mutex
+	// opts is CLI options
+	opts   *proxyOptions
+	sysctx *types.SystemContext
+	cache  types.BlobInfoCache
+
+	// imageSerial is a counter for open images
+	imageSerial uint32
+	// images holds our opened images
+	images map[uint32]*openImage
+	// activePipes maps from "pipeid" to a pipe + goroutine pair
+	activePipes map[uint32]*activePipe
+}
+
+// Initialize performs one-time initialization, and returns the protocol version
+func (h *proxyHandler) Initialize(args []interface{}) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+
+	var ret replyBuf
+
+	if len(args) != 0 {
+		return ret, fmt.Errorf("invalid request, expecting zero arguments")
+	}
+
+	if h.sysctx != nil {
+		return ret, fmt.Errorf("already initialized")
+	}
+
+	sysctx, err := h.opts.imageOpts.newSystemContext()
+	if err != nil {
+		return ret, err
+	}
+	h.sysctx = sysctx
+	h.cache = blobinfocache.DefaultCache(sysctx)
+
+	r := replyBuf{
+		value: protocolVersion,
+	}
+	return r, nil
+}
+
+// OpenImage accepts a string image reference i.e. TRANSPORT:REF - like `skopeo copy`.
+// The return value is an opaque integer handle.
+func (h *proxyHandler) OpenImage(args []interface{}) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+	var ret replyBuf
+
+	if h.sysctx == nil {
+		return ret, fmt.Errorf("client error: must invoke Initialize")
+	}
+	if len(args) != 1 {
+		return ret, fmt.Errorf("invalid request, expecting one argument")
+	}
+	imageref, ok := args[0].(string)
+	if !ok {
+		return ret, fmt.Errorf("expecting string imageref, not %T", args[0])
+	}
+
+	imgRef, err := alltransports.ParseImageName(imageref)
+	if err != nil {
+		return ret, err
+	}
+	imgsrc, err := imgRef.NewImageSource(context.Background(), h.sysctx)
+	if err != nil {
+		return ret, err
+	}
+
+	h.imageSerial++
+	openimg := &openImage{
+		id:  h.imageSerial,
+		src: imgsrc,
+	}
+	h.images[openimg.id] = openimg
+	ret.value = openimg.id
+
+	return ret, nil
+}
+
+func (h *proxyHandler) CloseImage(args []interface{}) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+	var ret replyBuf
+
+	if h.sysctx == nil {
+		return ret, fmt.Errorf("client error: must invoke Initialize")
+	}
+	if len(args) != 1 {
+		return ret, fmt.Errorf("invalid request, expecting one argument")
+	}
+	imgref, err := h.parseImageFromID(args[0])
+	if err != nil {
+		return ret, err
+	}
+	imgref.src.Close()
+	delete(h.images, imgref.id)
+
+	return ret, nil
+}
+
+func parseImageID(v interface{}) (uint32, error) {
+	imgidf, ok := v.(float64)
+	if !ok {
+		return 0, fmt.Errorf("expecting integer imageid, not %T", v)
+	}
+	return uint32(imgidf), nil
+}
+
+// parseUint64 validates that a number fits inside a JavaScript safe integer
+func parseUint64(v interface{}) (uint64, error) {
+	f, ok := v.(float64)
+	if !ok {
+		return 0, fmt.Errorf("expecting numeric, not %T", v)
+	}
+	if f > maxJSONFloat {
+		return 0, fmt.Errorf("out of range integer for numeric %f", f)
+	}
+	return uint64(f), nil
+}
+
+func (h *proxyHandler) parseImageFromID(v interface{}) (*openImage, error) {
+	imgid, err := parseImageID(v)
+	if err != nil {
+		return nil, err
+	}
+	imgref, ok := h.images[imgid]
+	if !ok {
+		return nil, fmt.Errorf("no image %v", imgid)
+	}
+	return imgref, nil
+}
+
+func (h *proxyHandler) allocPipe() (*os.File, *activePipe, error) {
+	piper, pipew, err := os.Pipe()
+	if err != nil {
+		return nil, nil, err
+	}
+	f := activePipe{
+		w: pipew,
+	}
+	h.activePipes[uint32(pipew.Fd())] = &f
+	f.wg.Add(1)
+	return piper, &f, nil
+}
+
+// returnBytes generates a return pipe() from a byte array
+// In the future it might be nicer to return this via memfd_create()
+func (h *proxyHandler) returnBytes(retval interface{}, buf []byte) (replyBuf, error) {
+	var ret replyBuf
+	piper, f, err := h.allocPipe()
+	if err != nil {
+		return ret, err
+	}
+
+	go func() {
+		// Signal completion when we return
+		defer f.wg.Done()
+		_, err = io.Copy(f.w, bytes.NewReader(buf))
+		if err != nil {
+			f.err = err
+		}
+	}()
+
+	ret.value = retval
+	ret.fd = piper
+	ret.pipeid = uint32(f.w.Fd())
+	return ret, nil
+}
+
+// cacheTargetManifest is invoked when GetManifest or GetConfig is invoked
+// the first time for a given image.  If the requested image is a manifest
+// list, this function resolves it to the image matching the calling process'
+// operating system and architecture.
+//
+// TODO: Add GetRawManifest or so that exposes manifest lists
+func (h *proxyHandler) cacheTargetManifest(img *openImage) error {
+	ctx := context.Background()
+	if img.cachedimg != nil {
+		return nil
+	}
+	unparsedToplevel := image.UnparsedInstance(img.src, nil)
+	mfest, manifestType, err := unparsedToplevel.Manifest(ctx)
+	if err != nil {
+		return err
+	}
+	var target *image.UnparsedImage
+	if manifest.MIMETypeIsMultiImage(manifestType) {
+		manifestList, err := manifest.ListFromBlob(mfest, manifestType)
+		if err != nil {
+			return err
+		}
+		instanceDigest, err := manifestList.ChooseInstance(h.sysctx)
+		if err != nil {
+			return err
+		}
+		target = image.UnparsedInstance(img.src, &instanceDigest)
+	} else {
+		target = unparsedToplevel
+	}
+	cachedimg, err := image.FromUnparsedImage(ctx, h.sysctx, target)
+	if err != nil {
+		return err
+	}
+	img.cachedimg = cachedimg
+	return nil
+}
+
+// GetManifest returns a copy of the manifest, converted to OCI format, along with the original digest.
+// Manifest lists are resolved to the current operating system and architecture.
+func (h *proxyHandler) GetManifest(args []interface{}) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+
+	var ret replyBuf
+
+	if h.sysctx == nil {
+		return ret, fmt.Errorf("client error: must invoke Initialize")
+	}
+	if len(args) != 1 {
+		return ret, fmt.Errorf("invalid request, expecting one argument")
+	}
+	imgref, err := h.parseImageFromID(args[0])
+	if err != nil {
+		return ret, err
+	}
+
+	err = h.cacheTargetManifest(imgref)
+	if err != nil {
+		return ret, err
+	}
+	img := imgref.cachedimg
+
+	ctx := context.Background()
+	rawManifest, manifestType, err := img.Manifest(ctx)
+	if err != nil {
+		return ret, err
+	}
+
+	// We only support OCI and docker2schema2.  We know docker2schema2 can be easily+cheaply
+	// converted into OCI, so consumers only need to see OCI.
+	switch manifestType {
+	case imgspecv1.MediaTypeImageManifest, manifest.DockerV2Schema2MediaType:
+		break
+	// Explicitly reject e.g. docker schema 1 type with a "legacy" note
+	case manifest.DockerV2Schema1MediaType, manifest.DockerV2Schema1SignedMediaType:
+		return ret, fmt.Errorf("unsupported legacy manifest MIME type: %s", manifestType)
+	default:
+		return ret, fmt.Errorf("unsupported manifest MIME type: %s", manifestType)
+	}
+
+	// We always return the original digest, as that's what clients need to do pull-by-digest
+	// and in general identify the image.
+	digest, err := manifest.Digest(rawManifest)
+	if err != nil {
+		return ret, err
+	}
+	var serialized []byte
+	// But, we convert to OCI format on the wire if it's not already.  The idea here is that by reusing the containers/image
+	// stack, clients to this proxy can pretend the world is OCI only, and not need to care about e.g.
+	// docker schema and MIME types.
+	if manifestType != imgspecv1.MediaTypeImageManifest {
+		manifestUpdates := types.ManifestUpdateOptions{ManifestMIMEType: imgspecv1.MediaTypeImageManifest}
+		ociImage, err := img.UpdatedImage(ctx, manifestUpdates)
+		if err != nil {
+			return ret, err
+		}
+
+		ociSerialized, _, err := ociImage.Manifest(ctx)
+		if err != nil {
+			return ret, err
+		}
+		serialized = ociSerialized
+	} else {
+		serialized = rawManifest
+	}
+	return h.returnBytes(digest, serialized)
+}
+
+// GetFullConfig returns a copy of the image configuration, converted to OCI format.
+// https://github.com/opencontainers/image-spec/blob/main/config.md
+func (h *proxyHandler) GetFullConfig(args []interface{}) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+
+	var ret replyBuf
+
+	if h.sysctx == nil {
+		return ret, fmt.Errorf("client error: must invoke Initialize")
+	}
+	if len(args) != 1 {
+		return ret, fmt.Errorf("invalid request, expecting: [imgid]")
+	}
+	imgref, err := h.parseImageFromID(args[0])
+	if err != nil {
+		return ret, err
+	}
+	err = h.cacheTargetManifest(imgref)
+	if err != nil {
+		return ret, err
+	}
+	img := imgref.cachedimg
+
+	ctx := context.TODO()
+	config, err := img.OCIConfig(ctx)
+	if err != nil {
+		return ret, err
+	}
+	serialized, err := json.Marshal(&config)
+	if err != nil {
+		return ret, err
+	}
+	return h.returnBytes(nil, serialized)
+}
+
+// GetConfig returns a copy of the container runtime configuration, converted to OCI format.
+// Note that due to a historical mistake, this returns not the full image configuration,
+// but just the container runtime configuration.  You should use GetFullConfig instead.
+func (h *proxyHandler) GetConfig(args []interface{}) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+
+	var ret replyBuf
+
+	if h.sysctx == nil {
+		return ret, fmt.Errorf("client error: must invoke Initialize")
+	}
+	if len(args) != 1 {
+		return ret, fmt.Errorf("invalid request, expecting: [imgid]")
+	}
+	imgref, err := h.parseImageFromID(args[0])
+	if err != nil {
+		return ret, err
+	}
+	err = h.cacheTargetManifest(imgref)
+	if err != nil {
+		return ret, err
+	}
+	img := imgref.cachedimg
+
+	ctx := context.TODO()
+	config, err := img.OCIConfig(ctx)
+	if err != nil {
+		return ret, err
+	}
+	serialized, err := json.Marshal(&config.Config)
+	if err != nil {
+		return ret, err
+	}
+	return h.returnBytes(nil, serialized)
+}
+
+// GetBlob fetches a blob, performing digest verification.
+func (h *proxyHandler) GetBlob(args []interface{}) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+
+	var ret replyBuf
+
+	if h.sysctx == nil {
+		return ret, fmt.Errorf("client error: must invoke Initialize")
+	}
+	if len(args) != 3 {
+		return ret, fmt.Errorf("found %d args, expecting (imgid, digest, size)", len(args))
+	}
+	imgref, err := h.parseImageFromID(args[0])
+	if err != nil {
+		return ret, err
+	}
+	digestStr, ok := args[1].(string)
+	if !ok {
+		return ret, fmt.Errorf("expecting string blobid")
+	}
+	size, err := parseUint64(args[2])
+	if err != nil {
+		return ret, err
+	}
+
+	ctx := context.TODO()
+	d, err := digest.Parse(digestStr)
+	if err != nil {
+		return ret, err
+	}
+	blobr, blobSize, err := imgref.src.GetBlob(ctx, types.BlobInfo{Digest: d, Size: int64(size)}, h.cache)
+	if err != nil {
+		return ret, err
+	}
+
+	piper, f, err := h.allocPipe()
+	if err != nil {
+		return ret, err
+	}
+	go func() {
+		// Signal completion when we return
+		defer f.wg.Done()
+		verifier := d.Verifier()
+		tr := io.TeeReader(blobr, verifier)
+		n, err := io.Copy(f.w, tr)
+		if err != nil {
+			f.err = err
+			return
+		}
+		if n != int64(size) {
+			f.err = fmt.Errorf("expected %d bytes in blob, got %d", size, n)
+		}
+		if !verifier.Verified() {
+			f.err = fmt.Errorf("corrupted blob, expecting %s", d.String())
+		}
+	}()
+
+	ret.value = blobSize
+	ret.fd = piper
+	ret.pipeid = uint32(f.w.Fd())
+	return ret, nil
+}
+
+// FinishPipe waits for the worker goroutine to finish, and closes the write side of the pipe.
+func (h *proxyHandler) FinishPipe(args []interface{}) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+
+	var ret replyBuf
+
+	pipeidv, err := parseUint64(args[0])
+	if err != nil {
+		return ret, err
+	}
+	pipeid := uint32(pipeidv)
+
+	f, ok := h.activePipes[pipeid]
+	if !ok {
+		return ret, fmt.Errorf("finishpipe: no active pipe %d", pipeid)
+	}
+
+	// Wait for the goroutine to complete
+	f.wg.Wait()
+	// And only now do we close the write half; this forces the client to call this API
+	f.w.Close()
+	// Propagate any errors from the goroutine worker
+	err = f.err
+	delete(h.activePipes, pipeid)
+	return ret, err
+}
+
+// send writes a reply buffer to the socket
+func (buf replyBuf) send(conn *net.UnixConn, err error) error {
+	replyToSerialize := reply{
+		Success: err == nil,
+		Value:   buf.value,
+		PipeID:  buf.pipeid,
+	}
+	if err != nil {
+		replyToSerialize.Error = err.Error()
+	}
+	serializedReply, err := json.Marshal(&replyToSerialize)
+	if err != nil {
+		return err
+	}
+	// We took ownership of the FD - close it when we're done.
+	defer func() {
+		if buf.fd != nil {
+			buf.fd.Close()
+		}
+	}()
+	// Copy the FD number to the socket ancillary buffer
+	fds := make([]int, 0)
+	if buf.fd != nil {
+		fds = append(fds, int(buf.fd.Fd()))
+	}
+	oob := syscall.UnixRights(fds...)
+	n, oobn, err := conn.WriteMsgUnix(serializedReply, oob, nil)
+	if err != nil {
+		return err
+	}
+	// Validate that we sent the full packet
+	if n != len(serializedReply) || oobn != len(oob) {
+		return io.ErrShortWrite
+	}
+	return nil
+}
+
+type proxyOptions struct {
+	global    *globalOptions
+	imageOpts *imageOptions
+	sockFd    int
+}
+
+func proxyCmd(global *globalOptions) *cobra.Command {
+	sharedFlags, sharedOpts := sharedImageFlags()
+	imageFlags, imageOpts := imageFlags(global, sharedOpts, nil, "", "")
+	opts := proxyOptions{global: global, imageOpts: imageOpts}
+	cmd := &cobra.Command{
+		Use:   "experimental-image-proxy [command options] IMAGE",
+		Short: "Interactive proxy for fetching container images (EXPERIMENTAL)",
+		Long:  `Run skopeo as a proxy, supporting HTTP requests to fetch manifests and blobs.`,
+		RunE:  commandAction(opts.run),
+		Args:  cobra.ExactArgs(0),
+		// Not stabilized yet
+		Hidden:  true,
+		Example: `skopeo experimental-image-proxy --sockfd 3`,
+	}
+	adjustUsage(cmd)
+	flags := cmd.Flags()
+	flags.AddFlagSet(&sharedFlags)
+	flags.AddFlagSet(&imageFlags)
+	flags.IntVar(&opts.sockFd, "sockfd", 0, "Serve on opened socket pair (default 0/stdin)")
+	return cmd
+}
+
+// processRequest dispatches a remote request.
+// replyBuf is the result of the invocation.
+// terminate should be true if processing of requests should halt.
+func (h *proxyHandler) processRequest(req request) (rb replyBuf, terminate bool, err error) {
+	// Dispatch on the method
+	switch req.Method {
+	case "Initialize":
+		rb, err = h.Initialize(req.Args)
+	case "OpenImage":
+		rb, err = h.OpenImage(req.Args)
+	case "CloseImage":
+		rb, err = h.CloseImage(req.Args)
+	case "GetManifest":
+		rb, err = h.GetManifest(req.Args)
+	case "GetConfig":
+		rb, err = h.GetConfig(req.Args)
+	case "GetFullConfig":
+		rb, err = h.GetFullConfig(req.Args)
+	case "GetBlob":
+		rb, err = h.GetBlob(req.Args)
+	case "FinishPipe":
+		rb, err = h.FinishPipe(req.Args)
+	case "Shutdown":
+		terminate = true
+	default:
+		err = fmt.Errorf("unknown method: %s", req.Method)
+	}
+	return
+}
+
+// Implementation of podman experimental-image-proxy
+func (opts *proxyOptions) run(args []string, stdout io.Writer) error {
+	handler := &proxyHandler{
+		opts:        opts,
+		images:      make(map[uint32]*openImage),
+		activePipes: make(map[uint32]*activePipe),
+	}
+
+	// Convert the socket FD passed by client into a net.FileConn
+	fd := os.NewFile(uintptr(opts.sockFd), "sock")
+	fconn, err := net.FileConn(fd)
+	if err != nil {
+		return err
+	}
+	conn := fconn.(*net.UnixConn)
+
+	// Allocate a buffer to copy the packet into
+	buf := make([]byte, maxMsgSize)
+	for {
+		n, _, err := conn.ReadFrom(buf)
+		if err != nil {
+			if errors.Is(err, io.EOF) {
+				return nil
+			}
+			return fmt.Errorf("reading socket: %v", err)
+		}
+		// Parse the request JSON
+		readbuf := buf[0:n]
+		var req request
+		if err := json.Unmarshal(readbuf, &req); err != nil {
+			rb := replyBuf{}
+			rb.send(conn, fmt.Errorf("invalid request: %v", err))
+		}
+
+		rb, terminate, err := handler.processRequest(req)
+		if terminate {
+			return nil
+		}
+		rb.send(conn, err)
+	}
+}

cmd/skopeo/proxy_windows.go

@@ -0,0 +1,30 @@
+//go:build windows
+// +build windows
+
+package main
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/spf13/cobra"
+)
+
+type proxyOptions struct {
+	global *globalOptions
+}
+
+func proxyCmd(global *globalOptions) *cobra.Command {
+	opts := proxyOptions{global: global}
+	cmd := &cobra.Command{
+		RunE: commandAction(opts.run),
+		Args: cobra.ExactArgs(0),
+		// Not stabilized yet
+		Hidden: true,
+	}
+	return cmd
+}
+
+func (opts *proxyOptions) run(args []string, stdout io.Writer) error {
+	return fmt.Errorf("This command is not supported on Windows")
+}

cmd/skopeo/signing.go

@@ -0,0 +1,157 @@
+package main
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+
+	"github.com/containers/image/v5/pkg/cli"
+	"github.com/containers/image/v5/signature"
+	"github.com/spf13/cobra"
+)
+
+type standaloneSignOptions struct {
+	output         string // Output file path
+	passphraseFile string // Path pointing to a passphrase file when signing
+}
+
+func standaloneSignCmd() *cobra.Command {
+	opts := standaloneSignOptions{}
+	cmd := &cobra.Command{
+		Use:   "standalone-sign [command options] MANIFEST DOCKER-REFERENCE KEY-FINGERPRINT --output|-o SIGNATURE",
+		Short: "Create a signature using local files",
+		RunE:  commandAction(opts.run),
+	}
+	adjustUsage(cmd)
+	flags := cmd.Flags()
+	flags.StringVarP(&opts.output, "output", "o", "", "output the signature to `SIGNATURE`")
+	flags.StringVarP(&opts.passphraseFile, "passphrase-file", "", "", "file that contains a passphrase for the --sign-by key")
+	return cmd
+}
+
+func (opts *standaloneSignOptions) run(args []string, stdout io.Writer) error {
+	if len(args) != 3 || opts.output == "" {
+		return errors.New("Usage: skopeo standalone-sign manifest docker-reference key-fingerprint -o signature")
+	}
+	manifestPath := args[0]
+	dockerReference := args[1]
+	fingerprint := args[2]
+
+	manifest, err := ioutil.ReadFile(manifestPath)
+	if err != nil {
+		return fmt.Errorf("Error reading %s: %v", manifestPath, err)
+	}
+
+	mech, err := signature.NewGPGSigningMechanism()
+	if err != nil {
+		return fmt.Errorf("Error initializing GPG: %v", err)
+	}
+	defer mech.Close()
+
+	passphrase, err := cli.ReadPassphraseFile(opts.passphraseFile)
+	if err != nil {
+		return err
+	}
+
+	signature, err := signature.SignDockerManifestWithOptions(manifest, dockerReference, mech, fingerprint, &signature.SignOptions{Passphrase: passphrase})
+	if err != nil {
+		return fmt.Errorf("Error creating signature: %v", err)
+	}
+
+	if err := ioutil.WriteFile(opts.output, signature, 0644); err != nil {
+		return fmt.Errorf("Error writing signature to %s: %v", opts.output, err)
+	}
+	return nil
+}
+
+type standaloneVerifyOptions struct {
+}
+
+func standaloneVerifyCmd() *cobra.Command {
+	opts := standaloneVerifyOptions{}
+	cmd := &cobra.Command{
+		Use:   "standalone-verify MANIFEST DOCKER-REFERENCE KEY-FINGERPRINT SIGNATURE",
+		Short: "Verify a signature using local files",
+		RunE:  commandAction(opts.run),
+	}
+	adjustUsage(cmd)
+	return cmd
+}
+
+func (opts *standaloneVerifyOptions) run(args []string, stdout io.Writer) error {
+	if len(args) != 4 {
+		return errors.New("Usage: skopeo standalone-verify manifest docker-reference key-fingerprint signature")
+	}
+	manifestPath := args[0]
+	expectedDockerReference := args[1]
+	expectedFingerprint := args[2]
+	signaturePath := args[3]
+
+	unverifiedManifest, err := ioutil.ReadFile(manifestPath)
+	if err != nil {
+		return fmt.Errorf("Error reading manifest from %s: %v", manifestPath, err)
+	}
+	unverifiedSignature, err := ioutil.ReadFile(signaturePath)
+	if err != nil {
+		return fmt.Errorf("Error reading signature from %s: %v", signaturePath, err)
+	}
+
+	mech, err := signature.NewGPGSigningMechanism()
+	if err != nil {
+		return fmt.Errorf("Error initializing GPG: %v", err)
+	}
+	defer mech.Close()
+	sig, err := signature.VerifyDockerManifestSignature(unverifiedSignature, unverifiedManifest, expectedDockerReference, mech, expectedFingerprint)
+	if err != nil {
+		return fmt.Errorf("Error verifying signature: %v", err)
+	}
+
+	fmt.Fprintf(stdout, "Signature verified, digest %s\n", sig.DockerManifestDigest)
+	return nil
+}
+
+// WARNING: Do not use the contents of this for ANY security decisions,
+// and be VERY CAREFUL about showing this information to humans in any way which suggest that these values “are probably” reliable.
+// There is NO REASON to expect the values to be correct, or not intentionally misleading
+// (including things like “✅ Verified by $authority”)
+//
+// The subcommand is undocumented, and it may be renamed or entirely disappear in the future.
+type untrustedSignatureDumpOptions struct {
+}
+
+func untrustedSignatureDumpCmd() *cobra.Command {
+	opts := untrustedSignatureDumpOptions{}
+	cmd := &cobra.Command{
+		Use:    "untrusted-signature-dump-without-verification SIGNATURE",
+		Short:  "Dump contents of a signature WITHOUT VERIFYING IT",
+		RunE:   commandAction(opts.run),
+		Hidden: true,
+	}
+	adjustUsage(cmd)
+	return cmd
+}
+
+func (opts *untrustedSignatureDumpOptions) run(args []string, stdout io.Writer) error {
+	if len(args) != 1 {
+		return errors.New("Usage: skopeo untrusted-signature-dump-without-verification signature")
+	}
+	untrustedSignaturePath := args[0]
+
+	untrustedSignature, err := ioutil.ReadFile(untrustedSignaturePath)
+	if err != nil {
+		return fmt.Errorf("Error reading untrusted signature from %s: %v", untrustedSignaturePath, err)
+	}
+
+	untrustedInfo, err := signature.GetUntrustedSignatureInformationWithoutVerifying(untrustedSignature)
+	if err != nil {
+		return fmt.Errorf("Error decoding untrusted signature: %v", err)
+	}
+	untrustedOut, err := json.MarshalIndent(untrustedInfo, "", "    ")
+	if err != nil {
+		return err
+	}
+	fmt.Fprintln(stdout, string(untrustedOut))
+	return nil
+}

cmd/skopeo/signing_test.go

@@ -0,0 +1,178 @@
+package main
+
+import (
+	"encoding/json"
+	"io/ioutil"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/containers/image/v5/signature"
+	"github.com/opencontainers/go-digest"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+const (
+	// fixturesTestImageManifestDigest is the Docker manifest digest of "image.manifest.json"
+	fixturesTestImageManifestDigest = digest.Digest("sha256:20bf21ed457b390829cdbeec8795a7bea1626991fda603e0d01b4e7f60427e55")
+	// fixturesTestKeyFingerprint is the fingerprint of the private key.
+	fixturesTestKeyFingerprint = "1D8230F6CDB6A06716E414C1DB72F2188BB46CC8"
+	// fixturesTestKeyFingerprint is the key ID of the private key.
+	fixturesTestKeyShortID = "DB72F2188BB46CC8"
+)
+
+// Test that results of runSkopeo failed with nothing on stdout, and substring
+// within the error message.
+func assertTestFailed(t *testing.T, stdout string, err error, substring string) {
+	assert.Error(t, err)
+	assert.Empty(t, stdout)
+	assert.Contains(t, err.Error(), substring)
+}
+
+func TestStandaloneSign(t *testing.T) {
+	mech, _, err := signature.NewEphemeralGPGSigningMechanism([]byte{})
+	require.NoError(t, err)
+	defer mech.Close()
+	if err := mech.SupportsSigning(); err != nil {
+		t.Skipf("Signing not supported: %v", err)
+	}
+
+	manifestPath := "fixtures/image.manifest.json"
+	dockerReference := "testing/manifest"
+	os.Setenv("GNUPGHOME", "fixtures")
+	defer os.Unsetenv("GNUPGHOME")
+
+	// Invalid command-line arguments
+	for _, args := range [][]string{
+		{},
+		{"a1", "a2"},
+		{"a1", "a2", "a3"},
+		{"a1", "a2", "a3", "a4"},
+		{"-o", "o", "a1", "a2"},
+		{"-o", "o", "a1", "a2", "a3", "a4"},
+	} {
+		out, err := runSkopeo(append([]string{"standalone-sign"}, args...)...)
+		assertTestFailed(t, out, err, "Usage")
+	}
+
+	// Error reading manifest
+	out, err := runSkopeo("standalone-sign", "-o", "/dev/null",
+		"/this/does/not/exist", dockerReference, fixturesTestKeyFingerprint)
+	assertTestFailed(t, out, err, "/this/does/not/exist")
+
+	// Invalid Docker reference
+	out, err = runSkopeo("standalone-sign", "-o", "/dev/null",
+		manifestPath, "" /* empty reference */, fixturesTestKeyFingerprint)
+	assertTestFailed(t, out, err, "empty signature content")
+
+	// Unknown key.
+	out, err = runSkopeo("standalone-sign", "-o", "/dev/null",
+		manifestPath, dockerReference, "UNKNOWN GPG FINGERPRINT")
+	assert.Error(t, err)
+	assert.Empty(t, out)
+
+	// Error writing output
+	out, err = runSkopeo("standalone-sign", "-o", "/dev/full",
+		manifestPath, dockerReference, fixturesTestKeyFingerprint)
+	assertTestFailed(t, out, err, "/dev/full")
+
+	// Success
+	sigOutput, err := ioutil.TempFile("", "sig")
+	require.NoError(t, err)
+	defer os.Remove(sigOutput.Name())
+	out, err = runSkopeo("standalone-sign", "-o", sigOutput.Name(),
+		manifestPath, dockerReference, fixturesTestKeyFingerprint)
+	require.NoError(t, err)
+	assert.Empty(t, out)
+
+	sig, err := ioutil.ReadFile(sigOutput.Name())
+	require.NoError(t, err)
+	manifest, err := ioutil.ReadFile(manifestPath)
+	require.NoError(t, err)
+	mech, err = signature.NewGPGSigningMechanism()
+	require.NoError(t, err)
+	defer mech.Close()
+	verified, err := signature.VerifyDockerManifestSignature(sig, manifest, dockerReference, mech, fixturesTestKeyFingerprint)
+	require.NoError(t, err)
+	assert.Equal(t, dockerReference, verified.DockerReference)
+	assert.Equal(t, fixturesTestImageManifestDigest, verified.DockerManifestDigest)
+}
+
+func TestStandaloneVerify(t *testing.T) {
+	manifestPath := "fixtures/image.manifest.json"
+	signaturePath := "fixtures/image.signature"
+	dockerReference := "testing/manifest"
+	os.Setenv("GNUPGHOME", "fixtures")
+	defer os.Unsetenv("GNUPGHOME")
+
+	// Invalid command-line arguments
+	for _, args := range [][]string{
+		{},
+		{"a1", "a2", "a3"},
+		{"a1", "a2", "a3", "a4", "a5"},
+	} {
+		out, err := runSkopeo(append([]string{"standalone-verify"}, args...)...)
+		assertTestFailed(t, out, err, "Usage")
+	}
+
+	// Error reading manifest
+	out, err := runSkopeo("standalone-verify", "/this/does/not/exist",
+		dockerReference, fixturesTestKeyFingerprint, signaturePath)
+	assertTestFailed(t, out, err, "/this/does/not/exist")
+
+	// Error reading signature
+	out, err = runSkopeo("standalone-verify", manifestPath,
+		dockerReference, fixturesTestKeyFingerprint, "/this/does/not/exist")
+	assertTestFailed(t, out, err, "/this/does/not/exist")
+
+	// Error verifying signature
+	out, err = runSkopeo("standalone-verify", manifestPath,
+		dockerReference, fixturesTestKeyFingerprint, "fixtures/corrupt.signature")
+	assertTestFailed(t, out, err, "Error verifying signature")
+
+	// Success
+	out, err = runSkopeo("standalone-verify", manifestPath,
+		dockerReference, fixturesTestKeyFingerprint, signaturePath)
+	assert.NoError(t, err)
+	assert.Equal(t, "Signature verified, digest "+fixturesTestImageManifestDigest.String()+"\n", out)
+}
+
+func TestUntrustedSignatureDump(t *testing.T) {
+	// Invalid command-line arguments
+	for _, args := range [][]string{
+		{},
+		{"a1", "a2"},
+		{"a1", "a2", "a3", "a4"},
+	} {
+		out, err := runSkopeo(append([]string{"untrusted-signature-dump-without-verification"}, args...)...)
+		assertTestFailed(t, out, err, "Usage")
+	}
+
+	// Error reading manifest
+	out, err := runSkopeo("untrusted-signature-dump-without-verification",
+		"/this/does/not/exist")
+	assertTestFailed(t, out, err, "/this/does/not/exist")
+
+	// Error reading signature (input is not a signature)
+	out, err = runSkopeo("untrusted-signature-dump-without-verification", "fixtures/image.manifest.json")
+	assertTestFailed(t, out, err, "Error decoding untrusted signature")
+
+	// Success
+	for _, path := range []string{"fixtures/image.signature", "fixtures/corrupt.signature"} {
+		// Success
+		out, err = runSkopeo("untrusted-signature-dump-without-verification", path)
+		require.NoError(t, err)
+
+		var info signature.UntrustedSignatureInformation
+		err := json.Unmarshal([]byte(out), &info)
+		require.NoError(t, err)
+		assert.Equal(t, fixturesTestImageManifestDigest, info.UntrustedDockerManifestDigest)
+		assert.Equal(t, "testing/manifest", info.UntrustedDockerReference)
+		assert.NotNil(t, info.UntrustedCreatorID)
+		assert.Equal(t, "atomic ", *info.UntrustedCreatorID)
+		assert.NotNil(t, info.UntrustedTimestamp)
+		assert.True(t, time.Unix(1458239713, 0).Equal(*info.UntrustedTimestamp))
+		assert.Equal(t, fixturesTestKeyShortID, info.UntrustedShortKeyIdentifier)
+	}
+}

cmd/skopeo/sync.go

@@ -0,0 +1,649 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	commonFlag "github.com/containers/common/pkg/flag"
+	"github.com/containers/common/pkg/retry"
+	"github.com/containers/image/v5/copy"
+	"github.com/containers/image/v5/directory"
+	"github.com/containers/image/v5/docker"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/pkg/cli"
+	"github.com/containers/image/v5/transports"
+	"github.com/containers/image/v5/types"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"gopkg.in/yaml.v2"
+)
+
+// syncOptions contains information retrieved from the skopeo sync command line.
+type syncOptions struct {
+	global              *globalOptions // Global (not command dependent) skopeo options
+	deprecatedTLSVerify *deprecatedTLSVerifyOption
+	srcImage            *imageOptions     // Source image options
+	destImage           *imageDestOptions // Destination image options
+	retryOpts           *retry.RetryOptions
+	removeSignatures    bool                      // Do not copy signatures from the source image
+	signByFingerprint   string                    // Sign the image using a GPG key with the specified fingerprint
+	signPassphraseFile  string                    // Path pointing to a passphrase file when signing
+	format              commonFlag.OptionalString // Force conversion of the image to a specified format
+	source              string                    // Source repository name
+	destination         string                    // Destination registry name
+	scoped              bool                      // When true, namespace copied images at destination using the source repository name
+	all                 bool                      // Copy all of the images if an image in the source is a list
+	preserveDigests     bool                      // Preserve digests during sync
+	keepGoing           bool                      // Whether or not to abort the sync if there are any errors during syncing the images
+}
+
+// repoDescriptor contains information of a single repository used as a sync source.
+type repoDescriptor struct {
+	DirBasePath string                 // base path when source is 'dir'
+	ImageRefs   []types.ImageReference // List of tagged image found for the repository
+	Context     *types.SystemContext   // SystemContext for the sync command
+}
+
+// tlsVerifyConfig is an implementation of the Unmarshaler interface, used to
+// customize the unmarshaling behaviour of the tls-verify YAML key.
+type tlsVerifyConfig struct {
+	skip types.OptionalBool // skip TLS verification check (false by default)
+}
+
+// registrySyncConfig contains information about a single registry, read from
+// the source YAML file
+type registrySyncConfig struct {
+	Images           map[string][]string    // Images map images name to slices with the images' references (tags, digests)
+	ImagesByTagRegex map[string]string      `yaml:"images-by-tag-regex"` // Images map images name to regular expression with the images' tags
+	Credentials      types.DockerAuthConfig // Username and password used to authenticate with the registry
+	TLSVerify        tlsVerifyConfig        `yaml:"tls-verify"` // TLS verification mode (enabled by default)
+	CertDir          string                 `yaml:"cert-dir"`   // Path to the TLS certificates of the registry
+}
+
+// sourceConfig contains all registries information read from the source YAML file
+type sourceConfig map[string]registrySyncConfig
+
+func syncCmd(global *globalOptions) *cobra.Command {
+	sharedFlags, sharedOpts := sharedImageFlags()
+	deprecatedTLSVerifyFlags, deprecatedTLSVerifyOpt := deprecatedTLSVerifyFlags()
+	srcFlags, srcOpts := dockerImageFlags(global, sharedOpts, deprecatedTLSVerifyOpt, "src-", "screds")
+	destFlags, destOpts := dockerImageFlags(global, sharedOpts, deprecatedTLSVerifyOpt, "dest-", "dcreds")
+	retryFlags, retryOpts := retryFlags()
+
+	opts := syncOptions{
+		global:              global,
+		deprecatedTLSVerify: deprecatedTLSVerifyOpt,
+		srcImage:            srcOpts,
+		destImage:           &imageDestOptions{imageOptions: destOpts},
+		retryOpts:           retryOpts,
+	}
+
+	cmd := &cobra.Command{
+		Use:   "sync [command options] --src TRANSPORT --dest TRANSPORT SOURCE DESTINATION",
+		Short: "Synchronize one or more images from one location to another",
+		Long: `Copy all the images from a SOURCE to a DESTINATION.
+
+Allowed SOURCE transports (specified with --src): docker, dir, yaml.
+Allowed DESTINATION transports (specified with --dest): docker, dir.
+
+See skopeo-sync(1) for details.
+`,
+		RunE:    commandAction(opts.run),
+		Example: `skopeo sync --src docker --dest dir --scoped registry.example.com/busybox /media/usb`,
+	}
+	adjustUsage(cmd)
+	flags := cmd.Flags()
+	flags.BoolVar(&opts.removeSignatures, "remove-signatures", false, "Do not copy signatures from SOURCE images")
+	flags.StringVar(&opts.signByFingerprint, "sign-by", "", "Sign the image using a GPG key with the specified `FINGERPRINT`")
+	flags.StringVar(&opts.signPassphraseFile, "sign-passphrase-file", "", "File that contains a passphrase for the --sign-by key")
+	flags.VarP(commonFlag.NewOptionalStringValue(&opts.format), "format", "f", `MANIFEST TYPE (oci, v2s1, or v2s2) to use when syncing image(s) to a destination (default is manifest type of source, with fallbacks)`)
+	flags.StringVarP(&opts.source, "src", "s", "", "SOURCE transport type")
+	flags.StringVarP(&opts.destination, "dest", "d", "", "DESTINATION transport type")
+	flags.BoolVar(&opts.scoped, "scoped", false, "Images at DESTINATION are prefix using the full source image path as scope")
+	flags.BoolVarP(&opts.all, "all", "a", false, "Copy all images if SOURCE-IMAGE is a list")
+	flags.BoolVar(&opts.preserveDigests, "preserve-digests", false, "Preserve digests of images and lists")
+	flags.BoolVarP(&opts.keepGoing, "keep-going", "", false, "Do not abort the sync if any image copy fails")
+	flags.AddFlagSet(&sharedFlags)
+	flags.AddFlagSet(&deprecatedTLSVerifyFlags)
+	flags.AddFlagSet(&srcFlags)
+	flags.AddFlagSet(&destFlags)
+	flags.AddFlagSet(&retryFlags)
+	return cmd
+}
+
+// UnmarshalYAML is the implementation of the Unmarshaler interface method
+// method for the tlsVerifyConfig type.
+// It unmarshals the 'tls-verify' YAML key so that, when they key is not
+// specified, tls verification is enforced.
+func (tls *tlsVerifyConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	var verify bool
+	if err := unmarshal(&verify); err != nil {
+		return err
+	}
+
+	tls.skip = types.NewOptionalBool(!verify)
+	return nil
+}
+
+// newSourceConfig unmarshals the provided YAML file path to the sourceConfig type.
+// It returns a new unmarshaled sourceConfig object and any error encountered.
+func newSourceConfig(yamlFile string) (sourceConfig, error) {
+	var cfg sourceConfig
+	source, err := ioutil.ReadFile(yamlFile)
+	if err != nil {
+		return cfg, err
+	}
+	err = yaml.Unmarshal(source, &cfg)
+	if err != nil {
+		return cfg, errors.Wrapf(err, "Failed to unmarshal %q", yamlFile)
+	}
+	return cfg, nil
+}
+
+// parseRepositoryReference parses input into a reference.Named, and verifies that it names a repository, not an image.
+func parseRepositoryReference(input string) (reference.Named, error) {
+	ref, err := reference.ParseNormalizedNamed(input)
+	if err != nil {
+		return nil, err
+	}
+	if !reference.IsNameOnly(ref) {
+		return nil, errors.Errorf("input names a reference, not a repository")
+	}
+	return ref, nil
+}
+
+// destinationReference creates an image reference using the provided transport.
+// It returns a image reference to be used as destination of an image copy and
+// any error encountered.
+func destinationReference(destination string, transport string) (types.ImageReference, error) {
+	var imageTransport types.ImageTransport
+
+	switch transport {
+	case docker.Transport.Name():
+		destination = fmt.Sprintf("//%s", destination)
+		imageTransport = docker.Transport
+	case directory.Transport.Name():
+		_, err := os.Stat(destination)
+		if err == nil {
+			return nil, errors.Errorf("Refusing to overwrite destination directory %q", destination)
+		}
+		if !os.IsNotExist(err) {
+			return nil, errors.Wrap(err, "Destination directory could not be used")
+		}
+		// the directory holding the image must be created here
+		if err = os.MkdirAll(destination, 0755); err != nil {
+			return nil, errors.Wrapf(err, "Error creating directory for image %s", destination)
+		}
+		imageTransport = directory.Transport
+	default:
+		return nil, errors.Errorf("%q is not a valid destination transport", transport)
+	}
+	logrus.Debugf("Destination for transport %q: %s", transport, destination)
+
+	destRef, err := imageTransport.ParseReference(destination)
+	if err != nil {
+		return nil, errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %q", imageTransport.Name(), destination)
+	}
+
+	return destRef, nil
+}
+
+// getImageTags lists all tags in a repository.
+// It returns a string slice of tags and any error encountered.
+func getImageTags(ctx context.Context, sysCtx *types.SystemContext, repoRef reference.Named) ([]string, error) {
+	name := repoRef.Name()
+	logrus.WithFields(logrus.Fields{
+		"image": name,
+	}).Info("Getting tags")
+	// Ugly: NewReference rejects IsNameOnly references, and GetRepositoryTags ignores the tag/digest.
+	// So, we use TagNameOnly here only to shut up NewReference
+	dockerRef, err := docker.NewReference(reference.TagNameOnly(repoRef))
+	if err != nil {
+		return nil, err // Should never happen for a reference with tag and no digest
+	}
+	tags, err := docker.GetRepositoryTags(ctx, sysCtx, dockerRef)
+
+	switch err := err.(type) {
+	case nil:
+		break
+	case docker.ErrUnauthorizedForCredentials:
+		// Some registries may decide to block the "list all tags" endpoint.
+		// Gracefully allow the sync to continue in this case.
+		logrus.Warnf("Registry disallows tag list retrieval: %s", err)
+	default:
+		return tags, errors.Wrapf(err, "Error determining repository tags for image %s", name)
+	}
+
+	return tags, nil
+}
+
+// imagesToCopyFromRepo builds a list of image references from the tags
+// found in a source repository.
+// It returns an image reference slice with as many elements as the tags found
+// and any error encountered.
+func imagesToCopyFromRepo(sys *types.SystemContext, repoRef reference.Named) ([]types.ImageReference, error) {
+	tags, err := getImageTags(context.Background(), sys, repoRef)
+	if err != nil {
+		return nil, err
+	}
+
+	var sourceReferences []types.ImageReference
+	for _, tag := range tags {
+		taggedRef, err := reference.WithTag(repoRef, tag)
+		if err != nil {
+			return nil, errors.Wrapf(err, "Error creating a reference for repository %s and tag %q", repoRef.Name(), tag)
+		}
+		ref, err := docker.NewReference(taggedRef)
+		if err != nil {
+			return nil, errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %s", docker.Transport.Name(), taggedRef.String())
+		}
+		sourceReferences = append(sourceReferences, ref)
+	}
+	return sourceReferences, nil
+}
+
+// imagesToCopyFromDir builds a list of image references from the images found
+// in the source directory.
+// It returns an image reference slice with as many elements as the images found
+// and any error encountered.
+func imagesToCopyFromDir(dirPath string) ([]types.ImageReference, error) {
+	var sourceReferences []types.ImageReference
+	err := filepath.Walk(dirPath, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if !info.IsDir() && info.Name() == "manifest.json" {
+			dirname := filepath.Dir(path)
+			ref, err := directory.Transport.ParseReference(dirname)
+			if err != nil {
+				return errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %q", directory.Transport.Name(), dirname)
+			}
+			sourceReferences = append(sourceReferences, ref)
+			return filepath.SkipDir
+		}
+		return nil
+	})
+
+	if err != nil {
+		return sourceReferences,
+			errors.Wrapf(err, "Error walking the path %q", dirPath)
+	}
+
+	return sourceReferences, nil
+}
+
+// imagesToCopyFromRegistry builds a list of repository descriptors from the images
+// in a registry configuration.
+// It returns a repository descriptors slice with as many elements as the images
+// found and any error encountered. Each element of the slice is a list of
+// image references, to be used as sync source.
+func imagesToCopyFromRegistry(registryName string, cfg registrySyncConfig, sourceCtx types.SystemContext) ([]repoDescriptor, error) {
+	serverCtx := &sourceCtx
+	// override ctx with per-registryName options
+	serverCtx.DockerCertPath = cfg.CertDir
+	serverCtx.DockerDaemonCertPath = cfg.CertDir
+	serverCtx.DockerDaemonInsecureSkipTLSVerify = (cfg.TLSVerify.skip == types.OptionalBoolTrue)
+	serverCtx.DockerInsecureSkipTLSVerify = cfg.TLSVerify.skip
+	if cfg.Credentials != (types.DockerAuthConfig{}) {
+		serverCtx.DockerAuthConfig = &cfg.Credentials
+	}
+	var repoDescList []repoDescriptor
+	for imageName, refs := range cfg.Images {
+		repoLogger := logrus.WithFields(logrus.Fields{
+			"repo":     imageName,
+			"registry": registryName,
+		})
+		repoRef, err := parseRepositoryReference(fmt.Sprintf("%s/%s", registryName, imageName))
+		if err != nil {
+			repoLogger.Error("Error parsing repository name, skipping")
+			logrus.Error(err)
+			continue
+		}
+
+		repoLogger.Info("Processing repo")
+
+		var sourceReferences []types.ImageReference
+		if len(refs) != 0 {
+			for _, ref := range refs {
+				tagLogger := logrus.WithFields(logrus.Fields{"ref": ref})
+				var named reference.Named
+				// first try as digest
+				if d, err := digest.Parse(ref); err == nil {
+					named, err = reference.WithDigest(repoRef, d)
+					if err != nil {
+						tagLogger.Error("Error processing ref, skipping")
+						logrus.Error(err)
+						continue
+					}
+				} else {
+					tagLogger.Debugf("Ref was not a digest, trying as a tag: %s", err)
+					named, err = reference.WithTag(repoRef, ref)
+					if err != nil {
+						tagLogger.Error("Error parsing ref, skipping")
+						logrus.Error(err)
+						continue
+					}
+				}
+
+				imageRef, err := docker.NewReference(named)
+				if err != nil {
+					tagLogger.Error("Error processing ref, skipping")
+					logrus.Errorf("Error getting image reference: %s", err)
+					continue
+				}
+				sourceReferences = append(sourceReferences, imageRef)
+			}
+		} else { // len(refs) == 0
+			repoLogger.Info("Querying registry for image tags")
+			sourceReferences, err = imagesToCopyFromRepo(serverCtx, repoRef)
+			if err != nil {
+				repoLogger.Error("Error processing repo, skipping")
+				logrus.Error(err)
+				continue
+			}
+		}
+
+		if len(sourceReferences) == 0 {
+			repoLogger.Warnf("No refs to sync found")
+			continue
+		}
+		repoDescList = append(repoDescList, repoDescriptor{
+			ImageRefs: sourceReferences,
+			Context:   serverCtx})
+	}
+
+	for imageName, tagRegex := range cfg.ImagesByTagRegex {
+		repoLogger := logrus.WithFields(logrus.Fields{
+			"repo":     imageName,
+			"registry": registryName,
+		})
+		repoRef, err := parseRepositoryReference(fmt.Sprintf("%s/%s", registryName, imageName))
+		if err != nil {
+			repoLogger.Error("Error parsing repository name, skipping")
+			logrus.Error(err)
+			continue
+		}
+
+		repoLogger.Info("Processing repo")
+
+		var sourceReferences []types.ImageReference
+
+		tagReg, err := regexp.Compile(tagRegex)
+		if err != nil {
+			repoLogger.WithFields(logrus.Fields{
+				"regex": tagRegex,
+			}).Error("Error parsing regex, skipping")
+			logrus.Error(err)
+			continue
+		}
+
+		repoLogger.Info("Querying registry for image tags")
+		allSourceReferences, err := imagesToCopyFromRepo(serverCtx, repoRef)
+		if err != nil {
+			repoLogger.Error("Error processing repo, skipping")
+			logrus.Error(err)
+			continue
+		}
+
+		repoLogger.Infof("Start filtering using the regular expression: %v", tagRegex)
+		for _, sReference := range allSourceReferences {
+			tagged, isTagged := sReference.DockerReference().(reference.Tagged)
+			if !isTagged {
+				repoLogger.Errorf("Internal error, reference %s does not have a tag, skipping", sReference.DockerReference())
+				continue
+			}
+			if tagReg.MatchString(tagged.Tag()) {
+				sourceReferences = append(sourceReferences, sReference)
+			}
+		}
+
+		if len(sourceReferences) == 0 {
+			repoLogger.Warnf("No refs to sync found")
+			continue
+		}
+		repoDescList = append(repoDescList, repoDescriptor{
+			ImageRefs: sourceReferences,
+			Context:   serverCtx})
+	}
+
+	return repoDescList, nil
+}
+
+// imagesToCopy retrieves all the images to copy from a specified sync source
+// and transport.
+// It returns a slice of repository descriptors, where each descriptor is a
+// list of tagged image references to be used as sync source, and any error
+// encountered.
+func imagesToCopy(source string, transport string, sourceCtx *types.SystemContext) ([]repoDescriptor, error) {
+	var descriptors []repoDescriptor
+
+	switch transport {
+	case docker.Transport.Name():
+		desc := repoDescriptor{
+			Context: sourceCtx,
+		}
+		named, err := reference.ParseNormalizedNamed(source) // May be a repository or an image.
+		if err != nil {
+			return nil, errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %q", docker.Transport.Name(), source)
+		}
+		imageTagged := !reference.IsNameOnly(named)
+		logrus.WithFields(logrus.Fields{
+			"imagename": source,
+			"tagged":    imageTagged,
+		}).Info("Tag presence check")
+		if imageTagged {
+			srcRef, err := docker.NewReference(named)
+			if err != nil {
+				return nil, errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %q", docker.Transport.Name(), named.String())
+			}
+			desc.ImageRefs = []types.ImageReference{srcRef}
+		} else {
+			desc.ImageRefs, err = imagesToCopyFromRepo(sourceCtx, named)
+			if err != nil {
+				return descriptors, err
+			}
+			if len(desc.ImageRefs) == 0 {
+				return descriptors, errors.Errorf("No images to sync found in %q", source)
+			}
+		}
+		descriptors = append(descriptors, desc)
+
+	case directory.Transport.Name():
+		desc := repoDescriptor{
+			Context: sourceCtx,
+		}
+
+		if _, err := os.Stat(source); err != nil {
+			return descriptors, errors.Wrap(err, "Invalid source directory specified")
+		}
+		desc.DirBasePath = source
+		var err error
+		desc.ImageRefs, err = imagesToCopyFromDir(source)
+		if err != nil {
+			return descriptors, err
+		}
+		if len(desc.ImageRefs) == 0 {
+			return descriptors, errors.Errorf("No images to sync found in %q", source)
+		}
+		descriptors = append(descriptors, desc)
+
+	case "yaml":
+		cfg, err := newSourceConfig(source)
+		if err != nil {
+			return descriptors, err
+		}
+		for registryName, registryConfig := range cfg {
+			if len(registryConfig.Images) == 0 && len(registryConfig.ImagesByTagRegex) == 0 {
+				logrus.WithFields(logrus.Fields{
+					"registry": registryName,
+				}).Warn("No images specified for registry")
+				continue
+			}
+
+			descs, err := imagesToCopyFromRegistry(registryName, registryConfig, *sourceCtx)
+			if err != nil {
+				return descriptors, errors.Wrapf(err, "Failed to retrieve list of images from registry %q", registryName)
+			}
+			descriptors = append(descriptors, descs...)
+		}
+	}
+
+	return descriptors, nil
+}
+
+func (opts *syncOptions) run(args []string, stdout io.Writer) error {
+	if len(args) != 2 {
+		return errorShouldDisplayUsage{errors.New("Exactly two arguments expected")}
+	}
+	opts.deprecatedTLSVerify.warnIfUsed([]string{"--src-tls-verify", "--dest-tls-verify"})
+
+	policyContext, err := opts.global.getPolicyContext()
+	if err != nil {
+		return errors.Wrapf(err, "Error loading trust policy")
+	}
+	defer policyContext.Destroy()
+
+	// validate source and destination options
+	contains := func(val string, list []string) (_ bool) {
+		for _, l := range list {
+			if l == val {
+				return true
+			}
+		}
+		return
+	}
+
+	if len(opts.source) == 0 {
+		return errors.New("A source transport must be specified")
+	}
+	if !contains(opts.source, []string{docker.Transport.Name(), directory.Transport.Name(), "yaml"}) {
+		return errors.Errorf("%q is not a valid source transport", opts.source)
+	}
+
+	if len(opts.destination) == 0 {
+		return errors.New("A destination transport must be specified")
+	}
+	if !contains(opts.destination, []string{docker.Transport.Name(), directory.Transport.Name()}) {
+		return errors.Errorf("%q is not a valid destination transport", opts.destination)
+	}
+
+	if opts.source == opts.destination && opts.source == directory.Transport.Name() {
+		return errors.New("sync from 'dir' to 'dir' not implemented, consider using rsync instead")
+	}
+
+	imageListSelection := copy.CopySystemImage
+	if opts.all {
+		imageListSelection = copy.CopyAllImages
+	}
+
+	sourceCtx, err := opts.srcImage.newSystemContext()
+	if err != nil {
+		return err
+	}
+
+	var manifestType string
+	if opts.format.Present() {
+		manifestType, err = parseManifestFormat(opts.format.Value())
+		if err != nil {
+			return err
+		}
+	}
+
+	ctx, cancel := opts.global.commandTimeoutContext()
+	defer cancel()
+
+	sourceArg := args[0]
+	var srcRepoList []repoDescriptor
+	if err = retry.RetryIfNecessary(ctx, func() error {
+		srcRepoList, err = imagesToCopy(sourceArg, opts.source, sourceCtx)
+		return err
+	}, opts.retryOpts); err != nil {
+		return err
+	}
+
+	destination := args[1]
+	destinationCtx, err := opts.destImage.newSystemContext()
+	if err != nil {
+		return err
+	}
+
+	passphrase, err := cli.ReadPassphraseFile(opts.signPassphraseFile)
+	if err != nil {
+		return err
+	}
+	options := copy.Options{
+		RemoveSignatures:                      opts.removeSignatures,
+		SignBy:                                opts.signByFingerprint,
+		SignPassphrase:                        passphrase,
+		ReportWriter:                          os.Stdout,
+		DestinationCtx:                        destinationCtx,
+		ImageListSelection:                    imageListSelection,
+		PreserveDigests:                       opts.preserveDigests,
+		OptimizeDestinationImageAlreadyExists: true,
+		ForceManifestMIMEType:                 manifestType,
+	}
+	errorsPresent := false
+	imagesNumber := 0
+	for _, srcRepo := range srcRepoList {
+		options.SourceCtx = srcRepo.Context
+		for counter, ref := range srcRepo.ImageRefs {
+			var destSuffix string
+			switch ref.Transport() {
+			case docker.Transport:
+				// docker -> dir or docker -> docker
+				destSuffix = ref.DockerReference().String()
+			case directory.Transport:
+				// dir -> docker (we don't allow `dir` -> `dir` sync operations)
+				destSuffix = strings.TrimPrefix(ref.StringWithinTransport(), srcRepo.DirBasePath)
+				if destSuffix == "" {
+					// if source is a full path to an image, have destPath scoped to repo:tag
+					destSuffix = path.Base(srcRepo.DirBasePath)
+				}
+			}
+
+			if !opts.scoped {
+				destSuffix = path.Base(destSuffix)
+			}
+
+			destRef, err := destinationReference(path.Join(destination, destSuffix), opts.destination)
+			if err != nil {
+				return err
+			}
+
+			logrus.WithFields(logrus.Fields{
+				"from": transports.ImageName(ref),
+				"to":   transports.ImageName(destRef),
+			}).Infof("Copying image ref %d/%d", counter+1, len(srcRepo.ImageRefs))
+
+			if err = retry.RetryIfNecessary(ctx, func() error {
+				_, err = copy.Image(ctx, policyContext, destRef, ref, &options)
+				return err
+			}, opts.retryOpts); err != nil {
+				if !opts.keepGoing {
+					return errors.Wrapf(err, "Error copying ref %q", transports.ImageName(ref))
+				}
+				// log the error, keep a note that there was a failure and move on to the next
+				// image ref
+				errorsPresent = true
+				logrus.WithError(err).Errorf("Error copying ref %q", transports.ImageName(ref))
+				continue
+			}
+			imagesNumber++
+		}
+	}
+
+	logrus.Infof("Synced %d images from %d sources", imagesNumber, len(srcRepoList))
+	if !errorsPresent {
+		return nil
+	}
+	return errors.New("Sync failed due to previous reported error(s) for one or more images")
+}

cmd/skopeo/unshare.go

@@ -0,0 +1,8 @@
+//go:build !linux
+// +build !linux
+
+package main
+
+func reexecIfNecessaryForImages(inputImageNames ...string) error {
+	return nil
+}

cmd/skopeo/unshare_linux.go

@@ -0,0 +1,48 @@
+package main
+
+import (
+	"github.com/containers/image/v5/transports/alltransports"
+	"github.com/containers/storage/pkg/unshare"
+	"github.com/pkg/errors"
+	"github.com/syndtr/gocapability/capability"
+)
+
+var neededCapabilities = []capability.Cap{
+	capability.CAP_CHOWN,
+	capability.CAP_DAC_OVERRIDE,
+	capability.CAP_FOWNER,
+	capability.CAP_FSETID,
+	capability.CAP_MKNOD,
+	capability.CAP_SETFCAP,
+}
+
+func maybeReexec() error {
+	// With Skopeo we need only the subset of the root capabilities necessary
+	// for pulling an image to the storage.  Do not attempt to create a namespace
+	// if we already have the capabilities we need.
+	capabilities, err := capability.NewPid(0)
+	if err != nil {
+		return errors.Wrapf(err, "error reading the current capabilities sets")
+	}
+	for _, cap := range neededCapabilities {
+		if !capabilities.Get(capability.EFFECTIVE, cap) {
+			// We miss a capability we need, create a user namespaces
+			unshare.MaybeReexecUsingUserNamespace(true)
+			return nil
+		}
+	}
+	return nil
+}
+
+func reexecIfNecessaryForImages(imageNames ...string) error {
+	// Check if container-storage is used before doing unshare
+	for _, imageName := range imageNames {
+		transport := alltransports.TransportFromImageName(imageName)
+		// Hard-code the storage name to avoid a reference on c/image/storage.
+		// See https://github.com/containers/skopeo/issues/771#issuecomment-563125006.
+		if transport != nil && transport.Name() == "containers-storage" {
+			return maybeReexec()
+		}
+	}
+	return nil
+}

cmd/skopeo/utils.go

@@ -0,0 +1,356 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	commonFlag "github.com/containers/common/pkg/flag"
+	"github.com/containers/common/pkg/retry"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/pkg/compression"
+	"github.com/containers/image/v5/transports/alltransports"
+	"github.com/containers/image/v5/types"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+// errorShouldDisplayUsage is a subtype of error used by command handlers to indicate that cli.ShowSubcommandHelp should be called.
+type errorShouldDisplayUsage struct {
+	error
+}
+
+// commandAction intermediates between the RunE interface and the real handler,
+// primarily to ensure that cobra.Command is not available to the handler, which in turn
+// makes sure that the cmd.Flags() etc. flag access functions are not used,
+// and everything is done using the *Options structures and the *Var() methods of cmd.Flag().
+// handler may return errorShouldDisplayUsage to cause c.Help to be called.
+func commandAction(handler func(args []string, stdout io.Writer) error) func(cmd *cobra.Command, args []string) error {
+	return func(c *cobra.Command, args []string) error {
+		err := handler(args, c.OutOrStdout())
+		if _, ok := err.(errorShouldDisplayUsage); ok {
+			c.Help()
+		}
+		return err
+	}
+}
+
+// deprecatedTLSVerifyOption represents a deprecated --tls-verify option,
+// which was accepted for all subcommands, for a time.
+// Every user should call deprecatedTLSVerifyOption.warnIfUsed() as part of handling the CLI,
+// whether or not the value actually ends up being used.
+// DO NOT ADD ANY NEW USES OF THIS; just call dockerImageFlags with an appropriate, possibly empty, flagPrefix.
+type deprecatedTLSVerifyOption struct {
+	tlsVerify commonFlag.OptionalBool // FIXME FIXME: Warn if this is used, or even if it is ignored.
+}
+
+// warnIfUsed warns if tlsVerify was set by the user, and suggests alternatives (which should
+// start with "--").
+// Every user should call this as part of handling the CLI, whether or not the value actually
+// ends up being used.
+func (opts *deprecatedTLSVerifyOption) warnIfUsed(alternatives []string) {
+	if opts.tlsVerify.Present() {
+		logrus.Warnf("'--tls-verify' is deprecated, instead use: %s", strings.Join(alternatives, ", "))
+	}
+}
+
+// deprecatedTLSVerifyFlags prepares the CLI flag writing into deprecatedTLSVerifyOption, and the managed deprecatedTLSVerifyOption structure.
+// DO NOT ADD ANY NEW USES OF THIS; just call dockerImageFlags with an appropriate, possibly empty, flagPrefix.
+func deprecatedTLSVerifyFlags() (pflag.FlagSet, *deprecatedTLSVerifyOption) {
+	opts := deprecatedTLSVerifyOption{}
+	fs := pflag.FlagSet{}
+	flag := commonFlag.OptionalBoolFlag(&fs, &opts.tlsVerify, "tls-verify", "require HTTPS and verify certificates when accessing the container registry")
+	flag.Hidden = true
+	return fs, &opts
+}
+
+// sharedImageOptions collects CLI flags which are image-related, but do not change across images.
+// This really should be a part of globalOptions, but that would break existing users of (skopeo copy --authfile=).
+type sharedImageOptions struct {
+	authFilePath string // Path to a */containers/auth.json
+}
+
+// sharedImageFlags prepares a collection of CLI flags writing into sharedImageOptions, and the managed sharedImageOptions structure.
+func sharedImageFlags() (pflag.FlagSet, *sharedImageOptions) {
+	opts := sharedImageOptions{}
+	fs := pflag.FlagSet{}
+	fs.StringVar(&opts.authFilePath, "authfile", os.Getenv("REGISTRY_AUTH_FILE"), "path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json")
+	return fs, &opts
+}
+
+// dockerImageOptions collects CLI flags specific to the "docker" transport, which are
+// the same across subcommands, but may be different for each image
+// (e.g. may differ between the source and destination of a copy)
+type dockerImageOptions struct {
+	global              *globalOptions             // May be shared across several imageOptions instances.
+	shared              *sharedImageOptions        // May be shared across several imageOptions instances.
+	deprecatedTLSVerify *deprecatedTLSVerifyOption // May be shared across several imageOptions instances, or nil.
+	authFilePath        commonFlag.OptionalString  // Path to a */containers/auth.json (prefixed version to override shared image option).
+	credsOption         commonFlag.OptionalString  // username[:password] for accessing a registry
+	userName            commonFlag.OptionalString  // username for accessing a registry
+	password            commonFlag.OptionalString  // password for accessing a registry
+	registryToken       commonFlag.OptionalString  // token to be used directly as a Bearer token when accessing the registry
+	dockerCertPath      string                     // A directory using Docker-like *.{crt,cert,key} files for connecting to a registry or a daemon
+	tlsVerify           commonFlag.OptionalBool    // Require HTTPS and verify certificates (for docker: and docker-daemon:)
+	noCreds             bool                       // Access the registry anonymously
+}
+
+// imageOptions collects CLI flags which are the same across subcommands, but may be different for each image
+// (e.g. may differ between the source and destination of a copy)
+type imageOptions struct {
+	dockerImageOptions
+	sharedBlobDir    string // A directory to use for OCI blobs, shared across repositories
+	dockerDaemonHost string // docker-daemon: host to connect to
+}
+
+// dockerImageFlags prepares a collection of docker-transport specific CLI flags
+// writing into imageOptions, and the managed imageOptions structure.
+func dockerImageFlags(global *globalOptions, shared *sharedImageOptions, deprecatedTLSVerify *deprecatedTLSVerifyOption, flagPrefix, credsOptionAlias string) (pflag.FlagSet, *imageOptions) {
+	flags := imageOptions{
+		dockerImageOptions: dockerImageOptions{
+			global:              global,
+			shared:              shared,
+			deprecatedTLSVerify: deprecatedTLSVerify,
+		},
+	}
+
+	fs := pflag.FlagSet{}
+	if flagPrefix != "" {
+		// the non-prefixed flag is handled by a shared flag.
+		fs.Var(commonFlag.NewOptionalStringValue(&flags.authFilePath), flagPrefix+"authfile", "path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json")
+	}
+	fs.Var(commonFlag.NewOptionalStringValue(&flags.credsOption), flagPrefix+"creds", "Use `USERNAME[:PASSWORD]` for accessing the registry")
+	fs.Var(commonFlag.NewOptionalStringValue(&flags.userName), flagPrefix+"username", "Username for accessing the registry")
+	fs.Var(commonFlag.NewOptionalStringValue(&flags.password), flagPrefix+"password", "Password for accessing the registry")
+	if credsOptionAlias != "" {
+		// This is horribly ugly, but we need to support the old option forms of (skopeo copy) for compatibility.
+		// Don't add any more cases like this.
+		f := fs.VarPF(commonFlag.NewOptionalStringValue(&flags.credsOption), credsOptionAlias, "", "Use `USERNAME[:PASSWORD]` for accessing the registry")
+		f.Hidden = true
+	}
+	fs.Var(commonFlag.NewOptionalStringValue(&flags.registryToken), flagPrefix+"registry-token", "Provide a Bearer token for accessing the registry")
+	fs.StringVar(&flags.dockerCertPath, flagPrefix+"cert-dir", "", "use certificates at `PATH` (*.crt, *.cert, *.key) to connect to the registry or daemon")
+	commonFlag.OptionalBoolFlag(&fs, &flags.tlsVerify, flagPrefix+"tls-verify", "require HTTPS and verify certificates when talking to the container registry or daemon")
+	fs.BoolVar(&flags.noCreds, flagPrefix+"no-creds", false, "Access the registry anonymously")
+	return fs, &flags
+}
+
+// imageFlags prepares a collection of CLI flags writing into imageOptions, and the managed imageOptions structure.
+func imageFlags(global *globalOptions, shared *sharedImageOptions, deprecatedTLSVerify *deprecatedTLSVerifyOption, flagPrefix, credsOptionAlias string) (pflag.FlagSet, *imageOptions) {
+	dockerFlags, opts := dockerImageFlags(global, shared, deprecatedTLSVerify, flagPrefix, credsOptionAlias)
+
+	fs := pflag.FlagSet{}
+	fs.StringVar(&opts.sharedBlobDir, flagPrefix+"shared-blob-dir", "", "`DIRECTORY` to use to share blobs across OCI repositories")
+	fs.StringVar(&opts.dockerDaemonHost, flagPrefix+"daemon-host", "", "use docker daemon host at `HOST` (docker-daemon: only)")
+	fs.AddFlagSet(&dockerFlags)
+	return fs, opts
+}
+
+func retryFlags() (pflag.FlagSet, *retry.RetryOptions) {
+	opts := retry.RetryOptions{}
+	fs := pflag.FlagSet{}
+	fs.IntVar(&opts.MaxRetry, "retry-times", 0, "the number of times to possibly retry")
+	return fs, &opts
+}
+
+// newSystemContext returns a *types.SystemContext corresponding to opts.
+// It is guaranteed to return a fresh instance, so it is safe to make additional updates to it.
+func (opts *imageOptions) newSystemContext() (*types.SystemContext, error) {
+	// *types.SystemContext instance from globalOptions
+	//  imageOptions option overrides the instance if both are present.
+	ctx := opts.global.newSystemContext()
+	ctx.DockerCertPath = opts.dockerCertPath
+	ctx.OCISharedBlobDirPath = opts.sharedBlobDir
+	ctx.AuthFilePath = opts.shared.authFilePath
+	ctx.DockerDaemonHost = opts.dockerDaemonHost
+	ctx.DockerDaemonCertPath = opts.dockerCertPath
+	if opts.dockerImageOptions.authFilePath.Present() {
+		ctx.AuthFilePath = opts.dockerImageOptions.authFilePath.Value()
+	}
+	if opts.deprecatedTLSVerify != nil && opts.deprecatedTLSVerify.tlsVerify.Present() {
+		// If both this deprecated option and a non-deprecated option is present, we use the latter value.
+		ctx.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.deprecatedTLSVerify.tlsVerify.Value())
+	}
+	if opts.tlsVerify.Present() {
+		ctx.DockerDaemonInsecureSkipTLSVerify = !opts.tlsVerify.Value()
+	}
+	if opts.tlsVerify.Present() {
+		ctx.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.tlsVerify.Value())
+	}
+	if opts.credsOption.Present() && opts.noCreds {
+		return nil, errors.New("creds and no-creds cannot be specified at the same time")
+	}
+	if opts.userName.Present() && opts.noCreds {
+		return nil, errors.New("username and no-creds cannot be specified at the same time")
+	}
+	if opts.credsOption.Present() && opts.userName.Present() {
+		return nil, errors.New("creds and username cannot be specified at the same time")
+	}
+	// if any of username or password is present, then both are expected to be present
+	if opts.userName.Present() != opts.password.Present() {
+		if opts.userName.Present() {
+			return nil, errors.New("password must be specified when username is specified")
+		}
+		return nil, errors.New("username must be specified when password is specified")
+	}
+	if opts.credsOption.Present() {
+		var err error
+		ctx.DockerAuthConfig, err = getDockerAuth(opts.credsOption.Value())
+		if err != nil {
+			return nil, err
+		}
+	} else if opts.userName.Present() {
+		ctx.DockerAuthConfig = &types.DockerAuthConfig{
+			Username: opts.userName.Value(),
+			Password: opts.password.Value(),
+		}
+	}
+	if opts.registryToken.Present() {
+		ctx.DockerBearerRegistryToken = opts.registryToken.Value()
+	}
+	if opts.noCreds {
+		ctx.DockerAuthConfig = &types.DockerAuthConfig{}
+	}
+
+	return ctx, nil
+}
+
+// imageDestOptions is a superset of imageOptions specialized for image destinations.
+type imageDestOptions struct {
+	*imageOptions
+	dirForceCompression         bool                   // Compress layers when saving to the dir: transport
+	dirForceDecompression       bool                   // Decompress layers when saving to the dir: transport
+	ociAcceptUncompressedLayers bool                   // Whether to accept uncompressed layers in the oci: transport
+	compressionFormat           string                 // Format to use for the compression
+	compressionLevel            commonFlag.OptionalInt // Level to use for the compression
+	precomputeDigests           bool                   // Precompute digests to dedup layers when saving to the docker: transport
+}
+
+// imageDestFlags prepares a collection of CLI flags writing into imageDestOptions, and the managed imageDestOptions structure.
+func imageDestFlags(global *globalOptions, shared *sharedImageOptions, deprecatedTLSVerify *deprecatedTLSVerifyOption, flagPrefix, credsOptionAlias string) (pflag.FlagSet, *imageDestOptions) {
+	genericFlags, genericOptions := imageFlags(global, shared, deprecatedTLSVerify, flagPrefix, credsOptionAlias)
+	opts := imageDestOptions{imageOptions: genericOptions}
+	fs := pflag.FlagSet{}
+	fs.AddFlagSet(&genericFlags)
+	fs.BoolVar(&opts.dirForceCompression, flagPrefix+"compress", false, "Compress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source)")
+	fs.BoolVar(&opts.dirForceDecompression, flagPrefix+"decompress", false, "Decompress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source)")
+	fs.BoolVar(&opts.ociAcceptUncompressedLayers, flagPrefix+"oci-accept-uncompressed-layers", false, "Allow uncompressed image layers when saving to an OCI image using the 'oci' transport. (default is to compress things that aren't compressed)")
+	fs.StringVar(&opts.compressionFormat, flagPrefix+"compress-format", "", "`FORMAT` to use for the compression")
+	fs.Var(commonFlag.NewOptionalIntValue(&opts.compressionLevel), flagPrefix+"compress-level", "`LEVEL` to use for the compression")
+	fs.BoolVar(&opts.precomputeDigests, flagPrefix+"precompute-digests", false, "Precompute digests to prevent uploading layers already on the registry using the 'docker' transport.")
+	return fs, &opts
+}
+
+// newSystemContext returns a *types.SystemContext corresponding to opts.
+// It is guaranteed to return a fresh instance, so it is safe to make additional updates to it.
+func (opts *imageDestOptions) newSystemContext() (*types.SystemContext, error) {
+	ctx, err := opts.imageOptions.newSystemContext()
+	if err != nil {
+		return nil, err
+	}
+
+	ctx.DirForceCompress = opts.dirForceCompression
+	ctx.DirForceDecompress = opts.dirForceDecompression
+	ctx.OCIAcceptUncompressedLayers = opts.ociAcceptUncompressedLayers
+	if opts.compressionFormat != "" {
+		cf, err := compression.AlgorithmByName(opts.compressionFormat)
+		if err != nil {
+			return nil, err
+		}
+		ctx.CompressionFormat = &cf
+	}
+	if opts.compressionLevel.Present() {
+		value := opts.compressionLevel.Value()
+		ctx.CompressionLevel = &value
+	}
+	ctx.DockerRegistryPushPrecomputeDigests = opts.precomputeDigests
+	return ctx, err
+}
+
+func parseCreds(creds string) (string, string, error) {
+	if creds == "" {
+		return "", "", errors.New("credentials can't be empty")
+	}
+	up := strings.SplitN(creds, ":", 2)
+	if len(up) == 1 {
+		return up[0], "", nil
+	}
+	if up[0] == "" {
+		return "", "", errors.New("username can't be empty")
+	}
+	return up[0], up[1], nil
+}
+
+func getDockerAuth(creds string) (*types.DockerAuthConfig, error) {
+	username, password, err := parseCreds(creds)
+	if err != nil {
+		return nil, err
+	}
+	return &types.DockerAuthConfig{
+		Username: username,
+		Password: password,
+	}, nil
+}
+
+// parseImageSource converts image URL-like string to an ImageSource.
+// The caller must call .Close() on the returned ImageSource.
+func parseImageSource(ctx context.Context, opts *imageOptions, name string) (types.ImageSource, error) {
+	ref, err := alltransports.ParseImageName(name)
+	if err != nil {
+		return nil, err
+	}
+	sys, err := opts.newSystemContext()
+	if err != nil {
+		return nil, err
+	}
+	return ref.NewImageSource(ctx, sys)
+}
+
+// parseManifestFormat parses format parameter for copy and sync command.
+// It returns string value to use as manifest MIME type
+func parseManifestFormat(manifestFormat string) (string, error) {
+	switch manifestFormat {
+	case "oci":
+		return imgspecv1.MediaTypeImageManifest, nil
+	case "v2s1":
+		return manifest.DockerV2Schema1SignedMediaType, nil
+	case "v2s2":
+		return manifest.DockerV2Schema2MediaType, nil
+	default:
+		return "", fmt.Errorf("unknown format %q. Choose one of the supported formats: 'oci', 'v2s1', or 'v2s2'", manifestFormat)
+	}
+}
+
+// usageTemplate returns the usage template for skopeo commands
+// This blocks the displaying of the global options. The main skopeo
+// command should not use this.
+const usageTemplate = `Usage:{{if .Runnable}}
+{{.UseLine}}{{end}}{{if .HasAvailableSubCommands}}
+
+{{.CommandPath}} [command]{{end}}{{if gt (len .Aliases) 0}}
+
+Aliases:
+{{.NameAndAliases}}{{end}}{{if .HasExample}}
+
+Examples:
+{{.Example}}{{end}}{{if .HasAvailableSubCommands}}
+
+Available Commands:{{range .Commands}}{{if (or .IsAvailableCommand (eq .Name "help"))}}
+{{rpad .Name .NamePadding }} {{.Short}}{{end}}{{end}}{{end}}{{if .HasAvailableLocalFlags}}
+
+Flags:
+{{.LocalFlags.FlagUsages | trimTrailingWhitespaces}}{{end}}{{if .HasAvailableInheritedFlags}}
+{{end}}
+`
+
+// adjustUsage uses usageTemplate template to get rid the GlobalOption from usage
+// and disable [flag] at the end of command usage
+func adjustUsage(c *cobra.Command) {
+	c.SetUsageTemplate(usageTemplate)
+	c.DisableFlagsInUseLine = true
+}

cmd/skopeo/utils_test.go

@@ -0,0 +1,415 @@
+package main
+
+import (
+	"os"
+	"testing"
+
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/types"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// fakeGlobalOptions creates globalOptions and sets it according to flags.
+func fakeGlobalOptions(t *testing.T, flags []string) (*globalOptions, *cobra.Command) {
+	app, opts := createApp()
+	cmd := &cobra.Command{}
+	app.AddCommand(cmd)
+	err := app.ParseFlags(flags)
+	require.NoError(t, err)
+	return opts, cmd
+}
+
+// fakeImageOptions creates imageOptions and sets it according to globalFlags/cmdFlags.
+func fakeImageOptions(t *testing.T, flagPrefix string, useDeprecatedTLSVerify bool,
+	globalFlags []string, cmdFlags []string) *imageOptions {
+	globalOpts, cmd := fakeGlobalOptions(t, globalFlags)
+	sharedFlags, sharedOpts := sharedImageFlags()
+	var deprecatedTLSVerifyFlag pflag.FlagSet
+	var deprecatedTLSVerifyOpt *deprecatedTLSVerifyOption
+	if useDeprecatedTLSVerify {
+		deprecatedTLSVerifyFlag, deprecatedTLSVerifyOpt = deprecatedTLSVerifyFlags()
+	}
+	imageFlags, imageOpts := imageFlags(globalOpts, sharedOpts, deprecatedTLSVerifyOpt, flagPrefix, "")
+	cmd.Flags().AddFlagSet(&sharedFlags)
+	if useDeprecatedTLSVerify {
+		cmd.Flags().AddFlagSet(&deprecatedTLSVerifyFlag)
+	}
+	cmd.Flags().AddFlagSet(&imageFlags)
+	err := cmd.ParseFlags(cmdFlags)
+	require.NoError(t, err)
+	return imageOpts
+}
+
+func TestImageOptionsNewSystemContext(t *testing.T) {
+	// Default state
+	opts := fakeImageOptions(t, "dest-", true, []string{}, []string{})
+	res, err := opts.newSystemContext()
+	require.NoError(t, err)
+	assert.Equal(t, &types.SystemContext{
+		DockerRegistryUserAgent: defaultUserAgent,
+	}, res)
+
+	// Set everything to non-default values.
+	opts = fakeImageOptions(t, "dest-", true, []string{
+		"--registries.d", "/srv/registries.d",
+		"--override-arch", "overridden-arch",
+		"--override-os", "overridden-os",
+		"--override-variant", "overridden-variant",
+		"--tmpdir", "/srv",
+	}, []string{
+		"--authfile", "/srv/authfile",
+		"--dest-authfile", "/srv/dest-authfile",
+		"--dest-cert-dir", "/srv/cert-dir",
+		"--dest-shared-blob-dir", "/srv/shared-blob-dir",
+		"--dest-daemon-host", "daemon-host.example.com",
+		"--dest-tls-verify=false",
+		"--dest-creds", "creds-user:creds-password",
+		"--dest-registry-token", "faketoken",
+	})
+	res, err = opts.newSystemContext()
+	require.NoError(t, err)
+	assert.Equal(t, &types.SystemContext{
+		RegistriesDirPath:                 "/srv/registries.d",
+		AuthFilePath:                      "/srv/dest-authfile",
+		ArchitectureChoice:                "overridden-arch",
+		OSChoice:                          "overridden-os",
+		VariantChoice:                     "overridden-variant",
+		OCISharedBlobDirPath:              "/srv/shared-blob-dir",
+		DockerCertPath:                    "/srv/cert-dir",
+		DockerInsecureSkipTLSVerify:       types.OptionalBoolTrue,
+		DockerAuthConfig:                  &types.DockerAuthConfig{Username: "creds-user", Password: "creds-password"},
+		DockerBearerRegistryToken:         "faketoken",
+		DockerDaemonCertPath:              "/srv/cert-dir",
+		DockerDaemonHost:                  "daemon-host.example.com",
+		DockerDaemonInsecureSkipTLSVerify: true,
+		DockerRegistryUserAgent:           defaultUserAgent,
+		BigFilesTemporaryDir:              "/srv",
+	}, res)
+
+	// Global/per-command tlsVerify behavior is tested in TestTLSVerifyFlags.
+
+	// Invalid option values
+	opts = fakeImageOptions(t, "dest-", true, []string{}, []string{"--dest-creds", ""})
+	_, err = opts.newSystemContext()
+	assert.Error(t, err)
+}
+
+// fakeImageDestOptions creates imageDestOptions and sets it according to globalFlags/cmdFlags.
+func fakeImageDestOptions(t *testing.T, flagPrefix string, useDeprecatedTLSVerify bool,
+	globalFlags []string, cmdFlags []string) *imageDestOptions {
+	globalOpts, cmd := fakeGlobalOptions(t, globalFlags)
+	sharedFlags, sharedOpts := sharedImageFlags()
+	var deprecatedTLSVerifyFlag pflag.FlagSet
+	var deprecatedTLSVerifyOpt *deprecatedTLSVerifyOption
+	if useDeprecatedTLSVerify {
+		deprecatedTLSVerifyFlag, deprecatedTLSVerifyOpt = deprecatedTLSVerifyFlags()
+	}
+	imageFlags, imageOpts := imageDestFlags(globalOpts, sharedOpts, deprecatedTLSVerifyOpt, flagPrefix, "")
+	cmd.Flags().AddFlagSet(&sharedFlags)
+	if useDeprecatedTLSVerify {
+		cmd.Flags().AddFlagSet(&deprecatedTLSVerifyFlag)
+	}
+	cmd.Flags().AddFlagSet(&imageFlags)
+	err := cmd.ParseFlags(cmdFlags)
+	require.NoError(t, err)
+	return imageOpts
+}
+
+func TestImageDestOptionsNewSystemContext(t *testing.T) {
+	// Default state
+	opts := fakeImageDestOptions(t, "dest-", true, []string{}, []string{})
+	res, err := opts.newSystemContext()
+	require.NoError(t, err)
+	assert.Equal(t, &types.SystemContext{
+		DockerRegistryUserAgent: defaultUserAgent,
+	}, res)
+
+	oldXRD, hasXRD := os.LookupEnv("REGISTRY_AUTH_FILE")
+	defer func() {
+		if hasXRD {
+			os.Setenv("REGISTRY_AUTH_FILE", oldXRD)
+		} else {
+			os.Unsetenv("REGISTRY_AUTH_FILE")
+		}
+	}()
+	authFile := "/tmp/auth.json"
+	// Make sure when REGISTRY_AUTH_FILE is set the auth file is used
+	os.Setenv("REGISTRY_AUTH_FILE", authFile)
+
+	// Explicitly set everything to default, except for when the default is “not present”
+	opts = fakeImageDestOptions(t, "dest-", true, []string{}, []string{
+		"--dest-compress=false",
+	})
+	res, err = opts.newSystemContext()
+	require.NoError(t, err)
+	assert.Equal(t, &types.SystemContext{
+		AuthFilePath:            authFile,
+		DockerRegistryUserAgent: defaultUserAgent,
+	}, res)
+
+	// Set everything to non-default values.
+	opts = fakeImageDestOptions(t, "dest-", true, []string{
+		"--registries.d", "/srv/registries.d",
+		"--override-arch", "overridden-arch",
+		"--override-os", "overridden-os",
+		"--override-variant", "overridden-variant",
+		"--tmpdir", "/srv",
+	}, []string{
+		"--authfile", "/srv/authfile",
+		"--dest-cert-dir", "/srv/cert-dir",
+		"--dest-shared-blob-dir", "/srv/shared-blob-dir",
+		"--dest-compress=true",
+		"--dest-daemon-host", "daemon-host.example.com",
+		"--dest-tls-verify=false",
+		"--dest-creds", "creds-user:creds-password",
+		"--dest-registry-token", "faketoken",
+		"--dest-precompute-digests=true",
+	})
+	res, err = opts.newSystemContext()
+	require.NoError(t, err)
+	assert.Equal(t, &types.SystemContext{
+		RegistriesDirPath:                   "/srv/registries.d",
+		AuthFilePath:                        "/srv/authfile",
+		ArchitectureChoice:                  "overridden-arch",
+		OSChoice:                            "overridden-os",
+		VariantChoice:                       "overridden-variant",
+		OCISharedBlobDirPath:                "/srv/shared-blob-dir",
+		DockerCertPath:                      "/srv/cert-dir",
+		DockerInsecureSkipTLSVerify:         types.OptionalBoolTrue,
+		DockerAuthConfig:                    &types.DockerAuthConfig{Username: "creds-user", Password: "creds-password"},
+		DockerBearerRegistryToken:           "faketoken",
+		DockerDaemonCertPath:                "/srv/cert-dir",
+		DockerDaemonHost:                    "daemon-host.example.com",
+		DockerDaemonInsecureSkipTLSVerify:   true,
+		DockerRegistryUserAgent:             defaultUserAgent,
+		DirForceCompress:                    true,
+		BigFilesTemporaryDir:                "/srv",
+		DockerRegistryPushPrecomputeDigests: true,
+	}, res)
+
+	// Global/per-command tlsVerify behavior is tested in TestTLSVerifyFlags.
+
+	// Invalid option values in imageOptions
+	opts = fakeImageDestOptions(t, "dest-", true, []string{}, []string{"--dest-creds", ""})
+	_, err = opts.newSystemContext()
+	assert.Error(t, err)
+}
+
+// TestImageOptionsUsernamePassword verifies that using the username and password
+// options works as expected
+func TestImageOptionsUsernamePassword(t *testing.T) {
+	for _, command := range []struct {
+		commandArgs        []string
+		expectedAuthConfig *types.DockerAuthConfig // data to expect, or nil if an error is expected
+	}{
+		// Set only username/password (without --creds), expected to pass
+		{
+			commandArgs:        []string{"--dest-username", "foo", "--dest-password", "bar"},
+			expectedAuthConfig: &types.DockerAuthConfig{Username: "foo", Password: "bar"},
+		},
+		// no username but set password, expect error
+		{
+			commandArgs:        []string{"--dest-password", "foo"},
+			expectedAuthConfig: nil,
+		},
+		// set username but no password. expected to fail (we currently don't allow a user without password)
+		{
+			commandArgs:        []string{"--dest-username", "bar"},
+			expectedAuthConfig: nil,
+		},
+		// set username with --creds, expected to fail
+		{
+			commandArgs:        []string{"--dest-username", "bar", "--dest-creds", "hello:world", "--dest-password", "foo"},
+			expectedAuthConfig: nil,
+		},
+		// set username with --no-creds, expected to fail
+		{
+			commandArgs:        []string{"--dest-username", "bar", "--dest-no-creds", "--dest-password", "foo"},
+			expectedAuthConfig: nil,
+		},
+	} {
+		opts := fakeImageDestOptions(t, "dest-", true, []string{}, command.commandArgs)
+		// parse the command options
+		res, err := opts.newSystemContext()
+		if command.expectedAuthConfig == nil {
+			assert.Error(t, err)
+		} else {
+			require.NoError(t, err)
+			assert.Equal(t, &types.SystemContext{
+				DockerRegistryUserAgent: defaultUserAgent,
+				DockerAuthConfig:        command.expectedAuthConfig,
+			}, res)
+		}
+	}
+}
+
+func TestTLSVerifyFlags(t *testing.T) {
+	type systemContextOpts interface { // Either *imageOptions or *imageDestOptions
+		newSystemContext() (*types.SystemContext, error)
+	}
+
+	for _, creator := range []struct {
+		name    string
+		newOpts func(useDeprecatedTLSVerify bool, globalFlags, cmdFlags []string) systemContextOpts
+	}{
+		{
+			"imageFlags",
+			func(useDeprecatedTLSVerify bool, globalFlags, cmdFlags []string) systemContextOpts {
+				return fakeImageOptions(t, "dest-", useDeprecatedTLSVerify, globalFlags, cmdFlags)
+			},
+		},
+		{
+			"imageDestFlags",
+			func(useDeprecatedTLSVerify bool, globalFlags, cmdFlags []string) systemContextOpts {
+				return fakeImageDestOptions(t, "dest-", useDeprecatedTLSVerify, globalFlags, cmdFlags)
+			},
+		},
+	} {
+		t.Run(creator.name, func(t *testing.T) {
+			for _, c := range []struct {
+				global, deprecatedCmd, cmd string
+				expectedDocker             types.OptionalBool
+				expectedDockerDaemon       bool
+			}{
+				{"", "", "", types.OptionalBoolUndefined, false},
+				{"", "", "false", types.OptionalBoolTrue, true},
+				{"", "", "true", types.OptionalBoolFalse, false},
+				{"", "false", "", types.OptionalBoolTrue, false},
+				{"", "false", "false", types.OptionalBoolTrue, true},
+				{"", "false", "true", types.OptionalBoolFalse, false},
+				{"", "true", "", types.OptionalBoolFalse, false},
+				{"", "true", "false", types.OptionalBoolTrue, true},
+				{"", "true", "true", types.OptionalBoolFalse, false},
+				{"false", "", "", types.OptionalBoolTrue, false},
+				{"false", "", "false", types.OptionalBoolTrue, true},
+				{"false", "", "true", types.OptionalBoolFalse, false},
+				{"false", "false", "", types.OptionalBoolTrue, false},
+				{"false", "false", "false", types.OptionalBoolTrue, true},
+				{"false", "false", "true", types.OptionalBoolFalse, false},
+				{"false", "true", "", types.OptionalBoolFalse, false},
+				{"false", "true", "false", types.OptionalBoolTrue, true},
+				{"false", "true", "true", types.OptionalBoolFalse, false},
+				{"true", "", "", types.OptionalBoolFalse, false},
+				{"true", "", "false", types.OptionalBoolTrue, true},
+				{"true", "", "true", types.OptionalBoolFalse, false},
+				{"true", "false", "", types.OptionalBoolTrue, false},
+				{"true", "false", "false", types.OptionalBoolTrue, true},
+				{"true", "false", "true", types.OptionalBoolFalse, false},
+				{"true", "true", "", types.OptionalBoolFalse, false},
+				{"true", "true", "false", types.OptionalBoolTrue, true},
+				{"true", "true", "true", types.OptionalBoolFalse, false},
+			} {
+				globalFlags := []string{}
+				if c.global != "" {
+					globalFlags = append(globalFlags, "--tls-verify="+c.global)
+				}
+				cmdFlags := []string{}
+				if c.deprecatedCmd != "" {
+					cmdFlags = append(cmdFlags, "--tls-verify="+c.deprecatedCmd)
+				}
+				if c.cmd != "" {
+					cmdFlags = append(cmdFlags, "--dest-tls-verify="+c.cmd)
+				}
+				opts := creator.newOpts(true, globalFlags, cmdFlags)
+				res, err := opts.newSystemContext()
+				require.NoError(t, err)
+				assert.Equal(t, c.expectedDocker, res.DockerInsecureSkipTLSVerify, "%#v", c)
+				assert.Equal(t, c.expectedDockerDaemon, res.DockerDaemonInsecureSkipTLSVerify, "%#v", c)
+
+				if c.deprecatedCmd == "" { // Test also the behavior when deprecatedTLSFlag is not recognized
+					// Use globalFlags from the previous test
+					cmdFlags := []string{}
+					if c.cmd != "" {
+						cmdFlags = append(cmdFlags, "--dest-tls-verify="+c.cmd)
+					}
+					opts := creator.newOpts(false, globalFlags, cmdFlags)
+					res, err = opts.newSystemContext()
+					require.NoError(t, err)
+					assert.Equal(t, c.expectedDocker, res.DockerInsecureSkipTLSVerify, "%#v", c)
+					assert.Equal(t, c.expectedDockerDaemon, res.DockerDaemonInsecureSkipTLSVerify, "%#v", c)
+				}
+			}
+		})
+	}
+}
+
+func TestParseManifestFormat(t *testing.T) {
+	for _, testCase := range []struct {
+		formatParam          string
+		expectedManifestType string
+		expectErr            bool
+	}{
+		{"oci",
+			imgspecv1.MediaTypeImageManifest,
+			false},
+		{"v2s1",
+			manifest.DockerV2Schema1SignedMediaType,
+			false},
+		{"v2s2",
+			manifest.DockerV2Schema2MediaType,
+			false},
+		{"",
+			"",
+			true},
+		{"badValue",
+			"",
+			true},
+	} {
+		manifestType, err := parseManifestFormat(testCase.formatParam)
+		if testCase.expectErr {
+			require.Error(t, err)
+		} else {
+			require.NoError(t, err)
+		}
+		assert.Equal(t, manifestType, testCase.expectedManifestType)
+	}
+}
+
+// since there is a shared authfile image option and a non-shared (prefixed) one, make sure the override logic
+// works correctly.
+func TestImageOptionsAuthfileOverride(t *testing.T) {
+
+	for _, testCase := range []struct {
+		flagPrefix           string
+		cmdFlags             []string
+		expectedAuthfilePath string
+	}{
+		// if there is no prefix, only authfile is allowed.
+		{"",
+			[]string{
+				"--authfile", "/srv/authfile",
+			}, "/srv/authfile"},
+		// if authfile and dest-authfile is provided, dest-authfile wins
+		{"dest-",
+			[]string{
+				"--authfile", "/srv/authfile",
+				"--dest-authfile", "/srv/dest-authfile",
+			}, "/srv/dest-authfile",
+		},
+		// if only the shared authfile is provided, authfile must be present in system context
+		{"dest-",
+			[]string{
+				"--authfile", "/srv/authfile",
+			}, "/srv/authfile",
+		},
+		// if only the dest authfile is provided, dest-authfile must be present in system context
+		{"dest-",
+			[]string{
+				"--dest-authfile", "/srv/dest-authfile",
+			}, "/srv/dest-authfile",
+		},
+	} {
+		opts := fakeImageOptions(t, testCase.flagPrefix, false, []string{}, testCase.cmdFlags)
+		res, err := opts.newSystemContext()
+		require.NoError(t, err)
+
+		assert.Equal(t, &types.SystemContext{
+			AuthFilePath:            testCase.expectedAuthfilePath,
+			DockerRegistryUserAgent: defaultUserAgent,
+		}, res)
+	}
+}

completions/bash/skopeo

@@ -0,0 +1,341 @@
+#! /bin/bash
+
+_complete_() {
+    local options_with_args=$1
+    local boolean_options="$2 -h --help"
+    local transports=$3
+
+    local option_with_args
+    for option_with_args in $options_with_args $transports
+    do
+        if [ "$option_with_args" == "$prev" ] || [ "$option_with_args" == "$cur" ]
+        then
+            return
+        fi
+    done
+
+    case "$cur" in
+        -*)
+            while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "$boolean_options $options_with_args" -- "$cur")
+            ;;
+        *)
+            if [ -n "$transports" ]
+            then
+                compopt -o nospace
+                while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "$transports" -- "$cur")
+            fi
+            ;;
+    esac
+}
+
+_skopeo_supported_transports() {
+    local subcommand=$1
+
+    skopeo "$subcommand" --help | grep "Supported transports" -A 1 | tail -n 1 | sed -e 's/,/:/g' -e 's/$/:/'
+}
+
+_skopeo_copy() {
+    local options_with_args="
+    --authfile
+    --src-authfile
+    --dest-authfile
+    --format -f
+    --multi-arch
+    --sign-by
+    --sign-passphrase-file
+    --src-creds --screds
+    --src-cert-dir
+    --src-tls-verify
+    --dest-creds --dcreds
+    --dest-cert-dir
+    --dest-tls-verify
+    --src-daemon-host
+    --dest-daemon-host
+    --src-registry-token
+    --dest-registry-token
+    --src-username
+    --src-password
+    --dest-username
+    --dest-password
+    "
+
+    local boolean_options="
+    --all
+    --dest-compress
+    --dest-decompress
+    --remove-signatures
+    --src-no-creds
+    --dest-no-creds
+    --dest-oci-accept-uncompressed-layers
+    --dest-precompute-digests
+    --preserve-digests
+    "
+
+    local transports
+    transports="
+    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
+    "
+
+    _complete_ "$options_with_args" "$boolean_options" "$transports"
+}
+
+_skopeo_sync() {
+    local options_with_args="
+    --authfile
+    --dest
+    --dest-authfile
+    --dest-cert-
+    --dest-creds
+    --dest-registry-token string
+    --format
+    --retry-times
+    --sign-by
+    --sign-passphrase-file
+    --src
+    --src-authfile
+    --src-cert-dir
+    --src-creds
+    --src-registry-token
+    --src-username
+    --src-password
+    --dest-username
+    --dest-password
+    "
+
+    local boolean_options="
+    --all
+    --dest-no-creds
+    --dest-tls-verify
+    --remove-signatures
+    --scoped
+    --src-no-creds
+    --src-tls-verify
+    --keep-going
+    --preserve-digests
+    "
+
+    local transports
+    transports="
+    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
+    "
+
+    _complete_ "$options_with_args" "$boolean_options" "$transports"
+}
+
+_skopeo_inspect() {
+     local options_with_args="
+     --authfile
+     --creds
+     --cert-dir
+     --format
+     --retry-times
+     --registry-token
+    --username
+    --password
+     "
+     local boolean_options="
+     --config
+     --raw
+     --tls-verify
+     --no-creds
+     --no-tags -n
+    "
+
+    local transports
+    transports="
+    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
+    "
+
+    _complete_ "$options_with_args" "$boolean_options" "$transports"
+}
+
+_skopeo_standalone_sign() {
+     local options_with_args="
+       -o --output
+       --passphrase-file
+     "
+     local boolean_options="
+     "
+    _complete_ "$options_with_args" "$boolean_options"
+}
+
+_skopeo_standalone_verify() {
+     local options_with_args="
+     "
+     local boolean_options="
+     "
+    _complete_ "$options_with_args" "$boolean_options"
+}
+
+_skopeo_manifest_digest() {
+     local options_with_args="
+     "
+     local boolean_options="
+     "
+    _complete_ "$options_with_args" "$boolean_options"
+}
+
+_skopeo_delete() {
+     local options_with_args="
+     --authfile
+     --creds
+     --cert-dir
+     --registry-token
+    --username
+    --password
+     "
+     local boolean_options="
+     --tls-verify
+     --no-creds
+     "
+
+    local transports
+    transports="
+    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
+    "
+
+    _complete_ "$options_with_args" "$boolean_options" "$transports"
+}
+
+_skopeo_layers() {
+     local options_with_args="
+       --authfile
+       --creds
+       --cert-dir
+       --registry-token
+      --username
+      --password
+     "
+     local boolean_options="
+       --tls-verify
+       --no-creds
+     "
+    _complete_ "$options_with_args" "$boolean_options"
+}
+
+_skopeo_list_repository_tags() {
+     local options_with_args="
+     --authfile
+     --creds
+     --cert-dir
+     --registry-token
+    --username
+    --password
+     "
+
+     local boolean_options="
+     --tls-verify
+     --no-creds
+     "
+    _complete_ "$options_with_args" "$boolean_options"
+}
+
+_skopeo_login() {
+    local options_with_args="
+    --authfile
+    --cert-dir
+    --password -p
+    --username -u
+    "
+
+    local boolean_options="
+    --get-login
+    --tls-verify
+    --password-stdin
+    "
+    _complete_ "$options_with_args" "$boolean_options"
+}
+
+_skopeo_logout() {
+    local options_with_args="
+    --authfile
+    "
+
+    local boolean_options="
+    --all -a
+    "
+    _complete_ "$options_with_args" "$boolean_options"
+}
+
+_skopeo_skopeo() {
+     # XXX: Changes here need to be reflected in the manually expanded
+     # string in the `case` statement below as well.
+     local options_with_args="
+       --policy
+       --registries.d
+       --override-arch
+       --override-os
+       --override-variant
+       --command-timeout
+       --tmpdir
+     "
+     local boolean_options="
+       --insecure-policy
+       --debug
+       --version -v
+       --help -h
+     "
+
+     local commands=(
+       copy
+       delete
+       inspect
+       list-tags
+       login
+       logout
+       manifest-digest
+       standalone-sign
+       standalone-verify
+       sync
+       help
+       h
+     )
+
+     case "$prev" in
+         # XXX: Changes here need to be reflected in $options_with_args as well.
+         --policy|--registries.d|--override-arch|--override-os|--override-variant|--command-timeout)
+             return
+             ;;
+     esac
+
+     case "$cur" in
+         -*)
+             while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "$boolean_options $options_with_args" -- "$cur")
+             ;;
+         *)
+             while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "${commands[*]} help" -- "$cur")
+             ;;
+     esac
+}
+
+_cli_bash_autocomplete() {
+     local cur
+
+     COMPREPLY=()
+     cur="${COMP_WORDS[COMP_CWORD]}"
+     COMPREPLY=()
+     local cur prev words cword
+
+     _get_comp_words_by_ref -n : cur prev words cword
+
+     local command="skopeo" cpos=0
+     local counter=1
+     while [ $counter -lt "$cword" ]; do
+         case "${words[$counter]}" in
+             skopeo|copy|sync|inspect|delete|manifest-digest|standalone-sign|standalone-verify|help|h|list-repository-tags)
+                 command="${words[$counter]//-/_}"
+                 cpos=$counter
+                 (( cpos++ ))
+                 break
+                 ;;
+         esac
+         (( counter++ ))
+     done
+
+     local completions_func=_skopeo_${command}
+     declare -F "$completions_func" >/dev/null && $completions_func
+
+     return 0
+}
+
+ complete -F _cli_bash_autocomplete skopeo

contrib/cirrus/runner.sh

@@ -0,0 +1,153 @@
+#!/bin/bash
+
+# This script is intended to be executed by automation or humans
+# under a hack/get_ci_vm.sh context.  Use under any other circumstances
+# is unlikely to function.
+
+set -e
+
+_EOL=20270501
+if [[ $(date +%Y%m%d) -ge $_EOL ]]; then
+    die "As of $_EOL this branch is probably
+no longer supported in RHEL 9.0/8.8, please
+confirm this with RHEL Program Management.  If so:
+It should be removed from Cirrus-Cron,
+the .cirrus.yml file removed, and
+the VM images (manually) unmarked
+'permanent=true'"
+fi
+
+# BEGIN Global export of all variables
+set -a
+
+# Due to differences across platforms and runtime execution environments,
+# handling of the (otherwise) default shell setup is non-uniform.  Rather
+# than attempt to workaround differences, simply force-load/set required
+# items every time this library is utilized.
+USER="$(whoami)"
+HOME="$(getent passwd $USER | cut -d : -f 6)"
+# Some platforms set and make this read-only
+[[ -n "$UID" ]] || \
+    UID=$(getent passwd $USER | cut -d : -f 3)
+
+if [[ -r "/etc/automation_environment" ]]; then
+    source /etc/automation_environment
+    source $AUTOMATION_LIB_PATH/common_lib.sh
+else
+    (
+    echo "WARNING: It does not appear that containers/automation was installed."
+    echo "         Functionality of most of ${BASH_SOURCE[0]} will be negatively"
+    echo "         impacted."
+    ) > /dev/stderr
+fi
+
+# This is the magic interpreted by the tests to allow modifying local config/services.
+SKOPEO_CONTAINER_TESTS=1
+
+PATH=$PATH:$GOPATH/bin
+
+# END Global export of all variables
+set +a
+
+
+_run_setup() {
+    local mnt
+    local errmsg
+    req_env_vars SKOPEO_CIDEV_CONTAINER_FQIN
+    if [[ "$OS_RELEASE_ID" != "fedora" ]]; then
+        die "Unknown/unsupported distro. $OS_REL_VER"
+    fi
+
+    if [[ -r "/.ci_setup_complete" ]]; then
+        warn "Thwarted an attempt to execute setup more than once."
+        return
+    fi
+
+    # VM's come with the distro. skopeo package pre-installed
+    dnf erase -y skopeo
+
+    msg "Removing systemd-resolved from nsswitch.conf"
+    # /etc/resolv.conf is already set to bypass systemd-resolvd
+    sed -i -r -e 's/^(hosts.+)resolve.+dns/\1dns/' /etc/nsswitch.conf
+
+    # A slew of compiled binaries are pre-built and distributed
+    # within the CI/Dev container image, but we want to run
+    # things directly on the host VM.  Fortunately they're all
+    # located in the container under /usr/local/bin
+    msg "Accessing contents of $SKOPEO_CIDEV_CONTAINER_FQIN"
+    podman pull --quiet $SKOPEO_CIDEV_CONTAINER_FQIN
+    mnt=$(podman mount $(podman create $SKOPEO_CIDEV_CONTAINER_FQIN))
+
+    # The container and VM images are built in tandem in the same repo.
+    # automation, but the sources are in different directories.  It's
+    # possible for a mismatch to happen, but should (hopefully) be unlikely.
+    # Double-check to make sure.
+    if ! fgrep -qx "ID=$OS_RELEASE_ID" $mnt/etc/os-release || \
+       ! fgrep -qx "VERSION_ID=$OS_RELEASE_VER" $mnt/etc/os-release; then
+            die "Somehow $SKOPEO_CIDEV_CONTAINER_FQIN is not based on $OS_REL_VER."
+    fi
+    msg "Copying test binaries from $SKOPEO_CIDEV_CONTAINER_FQIN /usr/local/bin/"
+    cp -a "$mnt/usr/local/bin/"* "/usr/local/bin/"
+    msg "Configuring the openshift registry"
+
+    # TODO: Put directory & yaml into more sensible place + update integration tests
+    mkdir -vp /registry
+    cp -a "$mnt/atomic-registry-config.yml" /
+
+    msg "Cleaning up"
+    podman umount --latest
+    podman rm --latest
+
+    # Ensure setup can only run once
+    touch "/.ci_setup_complete"
+}
+
+_run_vendor() {
+    make vendor BUILDTAGS="$BUILDTAGS"
+}
+
+_run_build() {
+    make bin/skopeo BUILDTAGS="$BUILDTAGS"
+    make install PREFIX=/usr/local
+}
+
+_run_cross() {
+    make local-cross BUILDTAGS="$BUILDTAGS"
+}
+
+_run_doccheck() {
+    make validate-docs BUILDTAGS="$BUILDTAGS"
+}
+
+_run_unit() {
+    make test-unit-local BUILDTAGS="$BUILDTAGS"
+}
+
+_run_integration() {
+    # Ensure we start with a clean-slate
+    podman system reset --force
+
+    make test-integration-local BUILDTAGS="$BUILDTAGS"
+}
+
+_run_system() {
+    # Ensure we start with a clean-slate
+    podman system reset --force
+
+    # Executes with containers required for testing.
+    make test-system-local BUILDTAGS="$BUILDTAGS"
+}
+
+req_env_vars SKOPEO_PATH BUILDTAGS
+
+handler="_run_${1}"
+if [ "$(type -t $handler)" != "function" ]; then
+    die "Unknown/Unsupported command-line argument '$1'"
+fi
+
+msg "************************************************************"
+msg "Runner executing $1 on $OS_REL_VER"
+msg "************************************************************"
+
+cd "$SKOPEO_PATH"
+$handler

contrib/skopeoimage/README.md

@@ -0,0 +1,56 @@
+<img src="https://cdn.rawgit.com/containers/skopeo/master/docs/skopeo.svg" width="250">
+
+----
+
+# skopeoimage
+
+## Overview
+
+This directory contains the Dockerfiles necessary to create the skopeoimage container
+images that are housed on quay.io under the skopeo account.  All repositories where
+the images live are public and can be pulled without credentials.  These container images are secured and the
+resulting containers can run safely with privileges within the container.
+
+The container images are built using the latest Fedora and then Skopeo is installed into them.
+The PATH in the container images is set to the default PATH provided by Fedora.  Also, the
+ENTRYPOINT and the WORKDIR variables are not set within these container images, as such they
+default to `/`.
+
+The container images are:
+
+  * `quay.io/containers/skopeo:<version>` and `quay.io/skopeo/stable:<version>` -
+    These images are built when a new Skopeo version becomes available in
+    Fedora.  These images are intended to be unchanging and stable, they will
+    never be updated by automation once they've been pushed.  For build details,
+    please [see the configuration file](stable/Dockerfile).
+  * `quay.io/containers/skopeo:latest` and `quay.io/skopeo/stable:latest` -
+    Built daily using the same Dockerfile as above.  The skopeo version
+    will remain the "latest" available in Fedora, however the image
+    contents may vary compared to the version-tagged images.
+  * `quay.io/skopeo/testing:latest` - This image is built daily, using the
+    latest version of Skopeo that was in the Fedora `updates-testing` repository.
+    The image is Built with [the testing Dockerfile](testing/Dockerfile).
+  * `quay.io/skopeo/upstream:latest` - This image is built daily using the latest
+    code found in this GitHub repository.  Due to the image changing frequently,
+    it's not guaranteed to be stable or even executable.  The image is built with
+    [the upstream Dockerfile](upstream/Dockerfile).
+
+
+## Sample Usage
+
+Although not required, it is suggested that [Podman](https://github.com/containers/podman) be used with these container images.
+
+```
+# Get Help on Skopeo
+podman run docker://quay.io/skopeo/stable:latest --help
+
+# Get help on the Skopeo Copy command
+podman run docker://quay.io/skopeo/stable:latest copy --help
+
+# Copy the Skopeo container image from quay.io to
+# a private registry
+podman run docker://quay.io/skopeo/stable:latest copy docker://quay.io/skopeo/stable docker://registry.internal.company.com/skopeo
+
+# Inspect the fedora:latest image
+podman run docker://quay.io/skopeo/stable:latest inspect --config docker://registry.fedoraproject.org/fedora:latest  | jq
+```

contrib/skopeoimage/stable/Dockerfile

@@ -0,0 +1,33 @@
+# stable/Dockerfile
+#
+# Build a Skopeo container image from the latest
+# stable version of Skopeo on the Fedoras Updates System.
+# https://bodhi.fedoraproject.org/updates/?search=skopeo
+# This image can be used to create a secured container
+# that runs safely with privileges within the container.
+#
+FROM registry.fedoraproject.org/fedora:latest
+
+# Don't include container-selinux and remove
+# directories used by yum that are just taking
+# up space.  Also reinstall shadow-utils as without
+# doing so, the setuid/setgid bits on newuidmap
+# and newgidmap are lost in the Fedora images. 
+RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; yum -y install skopeo fuse-overlayfs --exclude container-selinux; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
+
+# Adjust storage.conf to enable Fuse storage.
+RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
+
+# Setup the ability to use additional stores
+# with this container image.
+RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
+
+# Setup skopeo's uid/guid entries
+RUN echo skopeo:100000:65536 > /etc/subuid
+RUN echo skopeo:100000:65536 > /etc/subgid
+
+# Point to the Authorization file
+ENV REGISTRY_AUTH_FILE=/tmp/auth.json
+
+# Set the entrypoint
+ENTRYPOINT ["/usr/bin/skopeo"]

contrib/skopeoimage/testing/Dockerfile

@@ -0,0 +1,34 @@
+# testing/Dockerfile
+#
+# Build a Skopeo container image from the latest
+# version of Skopeo that is in updates-testing
+# on the Fedoras Updates System.
+# https://bodhi.fedoraproject.org/updates/?search=skopeo
+# This image can be used to create a secured container
+# that runs safely with privileges within the container.
+#
+FROM registry.fedoraproject.org/fedora:latest
+
+# Don't include container-selinux and remove
+# directories used by yum that are just taking
+# up space.  Also reinstall shadow-utils as without
+# doing so, the setuid/setgid bits on newuidmap
+# and newgidmap are lost in the Fedora images. 
+RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; yum -y install skopeo fuse-overlayfs --enablerepo updates-testing --exclude container-selinux; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
+
+# Adjust storage.conf to enable Fuse storage.
+RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
+
+# Setup the ability to use additional stores
+# with this container image.
+RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
+
+# Setup skopeo's uid/guid entries
+RUN echo skopeo:100000:65536 > /etc/subuid
+RUN echo skopeo:100000:65536 > /etc/subgid
+
+# Point to the Authorization file
+ENV REGISTRY_AUTH_FILE=/tmp/auth.json
+
+# Set the entrypoint
+ENTRYPOINT ["/usr/bin/skopeo"]

contrib/skopeoimage/upstream/Dockerfile

@@ -0,0 +1,54 @@
+# upstream/Dockerfile
+#
+# Build a Skopeo container image from the latest
+# upstream version of Skopeo on GitHub.
+# https://github.com/containers/skopeo
+# This image can be used to create a secured container
+# that runs safely with privileges within the container.
+#
+FROM registry.fedoraproject.org/fedora:latest
+
+# Don't include container-selinux and remove
+# directories used by yum that are just taking
+# up space.  Also reinstall shadow-utils as without
+# doing so, the setuid/setgid bits on newuidmap
+# and newgidmap are lost in the Fedora images. 
+RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; \
+yum -y install make \
+golang \
+git \
+go-md2man \
+fuse-overlayfs \
+fuse3 \
+containers-common \
+gpgme-devel \
+libassuan-devel \
+btrfs-progs-devel \
+device-mapper-devel --enablerepo updates-testing --exclude container-selinux; \
+mkdir /root/skopeo; \
+git clone https://github.com/containers/skopeo /root/skopeo/src/github.com/containers/skopeo; \
+export GOPATH=/root/skopeo; \
+cd /root/skopeo/src/github.com/containers/skopeo; \
+make bin/skopeo;\
+make PREFIX=/usr install;\
+rm -rf /root/skopeo/*; \
+yum -y remove git golang go-md2man make; \
+yum -y clean all; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
+
+
+# Adjust storage.conf to enable Fuse storage.
+RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
+
+# Setup the ability to use additional stores
+# with this container image.
+RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
+
+# Setup skopeo's uid/guid entries
+RUN echo skopeo:100000:65536 > /etc/subuid
+RUN echo skopeo:100000:65536 > /etc/subgid
+
+# Point to the Authorization file
+ENV REGISTRY_AUTH_FILE=/tmp/auth.json
+
+# Set the entrypoint
+ENTRYPOINT ["/usr/bin/skopeo"]

default-policy.json

@@ -0,0 +1,14 @@
+{
+    "default": [
+        {
+            "type": "insecureAcceptAnything"
+        }
+    ],
+    "transports":
+        {
+            "docker-daemon":
+                {
+                    "": [{"type":"insecureAcceptAnything"}]
+                }
+        }
+}

default.yaml

@@ -0,0 +1,26 @@
+# This is a default registries.d configuration file.  You may
+# add to this file or create additional files in registries.d/.
+#
+# sigstore: indicates a location that is read and write
+# sigstore-staging: indicates a location that is only for write
+#
+# sigstore and sigstore-staging take a value of the following:
+#   sigstore:  {schema}://location
+#
+# For reading signatures, schema may be http, https, or file.
+# For writing signatures, schema may only be file.
+
+# This is the default signature write location for docker registries.
+default-docker:
+#  sigstore: file:///var/lib/containers/sigstore
+  sigstore-staging: file:///var/lib/containers/sigstore
+
+# The 'docker' indicator here is the start of the configuration
+# for docker registries.
+#
+# docker:
+#
+#   privateregistry.com:
+#    sigstore: http://privateregistry.com/sigstore/
+#    sigstore-staging: /mnt/nfs/privateregistry/sigstore
+

docker/inspect.go

@@ -1,311 +0,0 @@
-package docker
-
-import (
-	"encoding/json"
-	"fmt"
-	"os"
-	"path/filepath"
-	"strings"
-	"time"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/codegangsta/cli"
-	"github.com/docker/distribution/digest"
-	distreference "github.com/docker/distribution/reference"
-	"github.com/docker/docker/api"
-	"github.com/docker/docker/cliconfig"
-	"github.com/docker/docker/image"
-	versionPkg "github.com/docker/docker/pkg/version"
-	"github.com/docker/docker/reference"
-	"github.com/docker/docker/registry"
-	engineTypes "github.com/docker/engine-api/types"
-	registryTypes "github.com/docker/engine-api/types/registry"
-	"github.com/opencontainers/runc/libcontainer/user"
-	"github.com/runcom/skopeo/types"
-	"golang.org/x/net/context"
-)
-
-// fallbackError wraps an error that can possibly allow fallback to a different
-// endpoint.
-type fallbackError struct {
-	// err is the error being wrapped.
-	err error
-	// confirmedV2 is set to true if it was confirmed that the registry
-	// supports the v2 protocol. This is used to limit fallbacks to the v1
-	// protocol.
-	confirmedV2 bool
-}
-
-// Error renders the FallbackError as a string.
-func (f fallbackError) Error() string {
-	return f.err.Error()
-}
-
-type manifestFetcher interface {
-	Fetch(ctx context.Context, ref reference.Named) (*types.ImageInspect, error)
-}
-
-func validateName(name string) error {
-	distref, err := distreference.ParseNamed(name)
-	if err != nil {
-		return err
-	}
-	hostname, _ := distreference.SplitHostname(distref)
-	if hostname == "" {
-		return fmt.Errorf("Please use a fully qualified repository name")
-	}
-	return nil
-}
-
-func GetData(c *cli.Context, name string) (*types.ImageInspect, error) {
-	if err := validateName(name); err != nil {
-		return nil, err
-	}
-	ref, err := reference.ParseNamed(name)
-	if err != nil {
-		return nil, err
-	}
-	repoInfo, err := registry.ParseRepositoryInfo(ref)
-	if err != nil {
-		return nil, err
-	}
-	authConfig, err := getAuthConfig(c, repoInfo.Index)
-	if err != nil {
-		return nil, err
-	}
-	if err := validateRepoName(repoInfo.Name()); err != nil {
-		return nil, err
-	}
-	//options := &registry.Options{}
-	//options.Mirrors = opts.NewListOpts(nil)
-	//options.InsecureRegistries = opts.NewListOpts(nil)
-	//options.InsecureRegistries.Set("0.0.0.0/0")
-	//registryService := registry.NewService(options)
-	registryService := registry.NewService(nil)
-	//// TODO(runcom): hacky, provide a way of passing tls cert (flag?) to be used to lookup
-	//for _, ic := range registryService.Config.IndexConfigs {
-	//ic.Secure = false
-	//}
-
-	endpoints, err := registryService.LookupPullEndpoints(repoInfo)
-	if err != nil {
-		return nil, err
-	}
-
-	var (
-		ctx                    = context.Background()
-		lastErr                error
-		discardNoSupportErrors bool
-		imgInspect             *types.ImageInspect
-		confirmedV2            bool
-	)
-
-	for _, endpoint := range endpoints {
-		// make sure I can reach the registry, same as docker pull does
-		v1endpoint, err := endpoint.ToV1Endpoint(nil)
-		if err != nil {
-			return nil, err
-		}
-		if _, err := v1endpoint.Ping(); err != nil {
-			if strings.Contains(err.Error(), "timeout") {
-				return nil, err
-			}
-			continue
-		}
-
-		if confirmedV2 && endpoint.Version == registry.APIVersion1 {
-			logrus.Debugf("Skipping v1 endpoint %s because v2 registry was detected", endpoint.URL)
-			continue
-		}
-		logrus.Debugf("Trying to fetch image manifest of %s repository from %s %s", repoInfo.Name(), endpoint.URL, endpoint.Version)
-
-		//fetcher, err := newManifestFetcher(endpoint, repoInfo, config)
-		fetcher, err := newManifestFetcher(endpoint, repoInfo, authConfig, registryService)
-		if err != nil {
-			lastErr = err
-			continue
-		}
-
-		if imgInspect, err = fetcher.Fetch(ctx, ref); err != nil {
-			// Was this fetch cancelled? If so, don't try to fall back.
-			fallback := false
-			select {
-			case <-ctx.Done():
-			default:
-				if fallbackErr, ok := err.(fallbackError); ok {
-					fallback = true
-					confirmedV2 = confirmedV2 || fallbackErr.confirmedV2
-					err = fallbackErr.err
-				}
-			}
-			if fallback {
-				if _, ok := err.(registry.ErrNoSupport); !ok {
-					// Because we found an error that's not ErrNoSupport, discard all subsequent ErrNoSupport errors.
-					discardNoSupportErrors = true
-					// save the current error
-					lastErr = err
-				} else if !discardNoSupportErrors {
-					// Save the ErrNoSupport error, because it's either the first error or all encountered errors
-					// were also ErrNoSupport errors.
-					lastErr = err
-				}
-				continue
-			}
-			logrus.Debugf("Not continuing with error: %v", err)
-			return nil, err
-		}
-
-		return imgInspect, nil
-	}
-
-	if lastErr == nil {
-		lastErr = fmt.Errorf("no endpoints found for %s", ref.String())
-	}
-
-	return nil, lastErr
-}
-
-func newManifestFetcher(endpoint registry.APIEndpoint, repoInfo *registry.RepositoryInfo, authConfig engineTypes.AuthConfig, registryService *registry.Service) (manifestFetcher, error) {
-	switch endpoint.Version {
-	case registry.APIVersion2:
-		return &v2ManifestFetcher{
-			endpoint:   endpoint,
-			authConfig: authConfig,
-			service:    registryService,
-			repoInfo:   repoInfo,
-		}, nil
-	case registry.APIVersion1:
-		return &v1ManifestFetcher{
-			endpoint:   endpoint,
-			authConfig: authConfig,
-			service:    registryService,
-			repoInfo:   repoInfo,
-		}, nil
-	}
-	return nil, fmt.Errorf("unknown version %d for registry %s", endpoint.Version, endpoint.URL)
-}
-
-func getAuthConfig(c *cli.Context, index *registryTypes.IndexInfo) (engineTypes.AuthConfig, error) {
-	var (
-		username      = c.GlobalString("username")
-		password      = c.GlobalString("password")
-		cfg           = c.GlobalString("docker-cfg")
-		defAuthConfig = engineTypes.AuthConfig{
-			Username: c.GlobalString("username"),
-			Password: c.GlobalString("password"),
-			Email:    "stub@example.com",
-		}
-	)
-
-	//
-	// FINAL TODO(runcom): avoid returning empty config! just fallthrough and return
-	// the first useful authconfig
-	//
-
-	// TODO(runcom): ??? atomic needs this
-	// TODO(runcom): implement this to opt-in for docker-cfg, no need to make this
-	// work by default with docker's conf
-	//useDockerConf := c.GlobalString("use-docker-cfg")
-
-	if username != "" && password != "" {
-		return defAuthConfig, nil
-	}
-
-	sudoUserEnv := os.Getenv("SUDO_USER")
-	if sudoUserEnv != "" {
-		sudoUser, err := user.LookupUser(sudoUserEnv)
-		if err != nil {
-			return engineTypes.AuthConfig{}, err
-		}
-		// override the given docker conf file if called with sudo
-		cfg = filepath.Join(sudoUser.Home, ".docker")
-	}
-
-	if _, err := os.Stat(cfg); err != nil {
-		logrus.Debugf("Docker cli config file %q not found: %v, falling back to --username and --password if needed", cfg, err)
-		if os.IsNotExist(err) {
-			return defAuthConfig, nil
-		}
-		return engineTypes.AuthConfig{}, nil
-	}
-	confFile, err := cliconfig.Load(cfg)
-	if err != nil {
-		return engineTypes.AuthConfig{}, err
-	}
-	authConfig := registry.ResolveAuthConfig(confFile.AuthConfigs, index)
-	logrus.Debugf("authConfig for %s: %v", index.Name, authConfig)
-
-	return authConfig, nil
-}
-
-func validateRepoName(name string) error {
-	if name == "" {
-		return fmt.Errorf("Repository name can't be empty")
-	}
-	if name == api.NoBaseImageSpecifier {
-		return fmt.Errorf("'%s' is a reserved name", api.NoBaseImageSpecifier)
-	}
-	return nil
-}
-
-func makeImageInspect(img *image.Image, tag string, dgst digest.Digest, tagList []string) *types.ImageInspect {
-	var digest string
-	if err := dgst.Validate(); err == nil {
-		digest = dgst.String()
-	}
-	return &types.ImageInspect{
-		Tag:             tag,
-		Digest:          digest,
-		RepoTags:        tagList,
-		Comment:         img.Comment,
-		Created:         img.Created.Format(time.RFC3339Nano),
-		ContainerConfig: &img.ContainerConfig,
-		DockerVersion:   img.DockerVersion,
-		Author:          img.Author,
-		Config:          img.Config,
-		Architecture:    img.Architecture,
-		Os:              img.OS,
-	}
-}
-
-func makeRawConfigFromV1Config(imageJSON []byte, rootfs *image.RootFS, history []image.History) (map[string]*json.RawMessage, error) {
-	var dver struct {
-		DockerVersion string `json:"docker_version"`
-	}
-
-	if err := json.Unmarshal(imageJSON, &dver); err != nil {
-		return nil, err
-	}
-
-	useFallback := versionPkg.Version(dver.DockerVersion).LessThan("1.8.3")
-
-	if useFallback {
-		var v1Image image.V1Image
-		err := json.Unmarshal(imageJSON, &v1Image)
-		if err != nil {
-			return nil, err
-		}
-		imageJSON, err = json.Marshal(v1Image)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	var c map[string]*json.RawMessage
-	if err := json.Unmarshal(imageJSON, &c); err != nil {
-		return nil, err
-	}
-
-	c["rootfs"] = rawJSON(rootfs)
-	c["history"] = rawJSON(history)
-
-	return c, nil
-}
-
-func rawJSON(value interface{}) *json.RawMessage {
-	jsonval, err := json.Marshal(value)
-	if err != nil {
-		return nil
-	}
-	return (*json.RawMessage)(&jsonval)
-}

docker/inspect_v1.go

@@ -1,168 +0,0 @@
-package docker
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-	"strings"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/distribution"
-	"github.com/docker/distribution/registry/client/transport"
-	"github.com/docker/docker/image"
-	"github.com/docker/docker/image/v1"
-	"github.com/docker/docker/reference"
-	"github.com/docker/docker/registry"
-	engineTypes "github.com/docker/engine-api/types"
-	"github.com/runcom/skopeo/types"
-	"golang.org/x/net/context"
-)
-
-type v1ManifestFetcher struct {
-	endpoint    registry.APIEndpoint
-	repoInfo    *registry.RepositoryInfo
-	repo        distribution.Repository
-	confirmedV2 bool
-	// wrap in a config?
-	authConfig engineTypes.AuthConfig
-	service    *registry.Service
-	session    *registry.Session
-}
-
-func (mf *v1ManifestFetcher) Fetch(ctx context.Context, ref reference.Named) (*types.ImageInspect, error) {
-	var (
-		imgInspect *types.ImageInspect
-	)
-	if _, isCanonical := ref.(reference.Canonical); isCanonical {
-		// Allowing fallback, because HTTPS v1 is before HTTP v2
-		return nil, fallbackError{err: registry.ErrNoSupport{errors.New("Cannot pull by digest with v1 registry")}}
-	}
-	tlsConfig, err := mf.service.TLSConfig(mf.repoInfo.Index.Name)
-	if err != nil {
-		return nil, err
-	}
-	// Adds Docker-specific headers as well as user-specified headers (metaHeaders)
-	tr := transport.NewTransport(
-		registry.NewTransport(tlsConfig),
-		//registry.DockerHeaders(mf.config.MetaHeaders)...,
-		registry.DockerHeaders(nil)...,
-	)
-	client := registry.HTTPClient(tr)
-	//v1Endpoint, err := mf.endpoint.ToV1Endpoint(mf.config.MetaHeaders)
-	v1Endpoint, err := mf.endpoint.ToV1Endpoint(nil)
-	if err != nil {
-		logrus.Debugf("Could not get v1 endpoint: %v", err)
-		return nil, fallbackError{err: err}
-	}
-	mf.session, err = registry.NewSession(client, &mf.authConfig, v1Endpoint)
-	if err != nil {
-		logrus.Debugf("Fallback from error: %s", err)
-		return nil, fallbackError{err: err}
-	}
-	imgInspect, err = mf.fetchWithSession(ctx, ref)
-	if err != nil {
-		return nil, err
-	}
-	return imgInspect, nil
-}
-
-func (mf *v1ManifestFetcher) fetchWithSession(ctx context.Context, ref reference.Named) (*types.ImageInspect, error) {
-	repoData, err := mf.session.GetRepositoryData(mf.repoInfo)
-	if err != nil {
-		if strings.Contains(err.Error(), "HTTP code: 404") {
-			return nil, fmt.Errorf("Error: image %s not found", mf.repoInfo.RemoteName())
-		}
-		// Unexpected HTTP error
-		return nil, err
-	}
-
-	var tagsList map[string]string
-	tagsList, err = mf.session.GetRemoteTags(repoData.Endpoints, mf.repoInfo)
-	if err != nil {
-		logrus.Errorf("unable to get remote tags: %s", err)
-		return nil, err
-	}
-
-	logrus.Debugf("Retrieving the tag list")
-	tagged, isTagged := ref.(reference.NamedTagged)
-	var tagID, tag string
-	if isTagged {
-		tag = tagged.Tag()
-		tagsList[tagged.Tag()] = tagID
-	} else {
-		ref, err = reference.WithTag(ref, reference.DefaultTag)
-		if err != nil {
-			return nil, err
-		}
-		tagged, _ := ref.(reference.NamedTagged)
-		tag = tagged.Tag()
-		tagsList[tagged.Tag()] = tagID
-	}
-	tagID, err = mf.session.GetRemoteTag(repoData.Endpoints, mf.repoInfo, tag)
-	if err == registry.ErrRepoNotFound {
-		return nil, fmt.Errorf("Tag %s not found in repository %s", tag, mf.repoInfo.FullName())
-	}
-	if err != nil {
-		logrus.Errorf("unable to get remote tags: %s", err)
-		return nil, err
-	}
-
-	tagList := []string{}
-	for tag := range tagsList {
-		tagList = append(tagList, tag)
-	}
-
-	img := repoData.ImgList[tagID]
-
-	var pulledImg *image.Image
-	for _, ep := range mf.repoInfo.Index.Mirrors {
-		if pulledImg, err = mf.pullImageJSON(img.ID, ep, repoData.Tokens); err != nil {
-			// Don't report errors when pulling from mirrors.
-			logrus.Debugf("Error pulling image json of %s:%s, mirror: %s, %s", mf.repoInfo.FullName(), img.Tag, ep, err)
-			continue
-		}
-		break
-	}
-	if pulledImg == nil {
-		for _, ep := range repoData.Endpoints {
-			if pulledImg, err = mf.pullImageJSON(img.ID, ep, repoData.Tokens); err != nil {
-				// It's not ideal that only the last error is returned, it would be better to concatenate the errors.
-				logrus.Infof("Error pulling image json of %s:%s, endpoint: %s, %v", mf.repoInfo.FullName(), img.Tag, ep, err)
-				continue
-			}
-			break
-		}
-	}
-	if err != nil {
-		return nil, fmt.Errorf("Error pulling image (%s) from %s, %v", img.Tag, mf.repoInfo.FullName(), err)
-	}
-	if pulledImg == nil {
-		return nil, fmt.Errorf("No such image %s:%s", mf.repoInfo.FullName(), tag)
-	}
-
-	return makeImageInspect(pulledImg, tag, "", tagList), nil
-}
-
-func (mf *v1ManifestFetcher) pullImageJSON(imgID, endpoint string, token []string) (*image.Image, error) {
-	imgJSON, _, err := mf.session.GetRemoteImageJSON(imgID, endpoint)
-	if err != nil {
-		return nil, err
-	}
-	h, err := v1.HistoryFromConfig(imgJSON, false)
-	if err != nil {
-		return nil, err
-	}
-	configRaw, err := makeRawConfigFromV1Config(imgJSON, image.NewRootFS(), []image.History{h})
-	if err != nil {
-		return nil, err
-	}
-	config, err := json.Marshal(configRaw)
-	if err != nil {
-		return nil, err
-	}
-	img, err := image.NewFromJSON(config)
-	if err != nil {
-		return nil, err
-	}
-	return img, nil
-}

docker/inspect_v2.go

@@ -1,474 +0,0 @@
-package docker
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-	"runtime"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/distribution"
-	"github.com/docker/distribution/digest"
-	"github.com/docker/distribution/manifest/manifestlist"
-	"github.com/docker/distribution/manifest/schema1"
-	"github.com/docker/distribution/manifest/schema2"
-	"github.com/docker/distribution/registry/api/errcode"
-	"github.com/docker/distribution/registry/client"
-	dockerdistribution "github.com/docker/docker/distribution"
-	"github.com/docker/docker/image"
-	"github.com/docker/docker/image/v1"
-	"github.com/docker/docker/reference"
-	"github.com/docker/docker/registry"
-	engineTypes "github.com/docker/engine-api/types"
-	"github.com/runcom/skopeo/types"
-	"golang.org/x/net/context"
-)
-
-type v2ManifestFetcher struct {
-	endpoint    registry.APIEndpoint
-	repoInfo    *registry.RepositoryInfo
-	repo        distribution.Repository
-	confirmedV2 bool
-	// wrap in a config?
-	authConfig engineTypes.AuthConfig
-	service    *registry.Service
-}
-
-func (mf *v2ManifestFetcher) Fetch(ctx context.Context, ref reference.Named) (*types.ImageInspect, error) {
-	var (
-		imgInspect *types.ImageInspect
-		err        error
-	)
-
-	//mf.repo, mf.confirmedV2, err = distribution.NewV2Repository(ctx, mf.repoInfo, mf.endpoint, mf.config.MetaHeaders, mf.config.AuthConfig, "pull")
-	mf.repo, mf.confirmedV2, err = dockerdistribution.NewV2Repository(ctx, mf.repoInfo, mf.endpoint, nil, &mf.authConfig, "pull")
-	if err != nil {
-		logrus.Debugf("Error getting v2 registry: %v", err)
-		return nil, fallbackError{err: err, confirmedV2: mf.confirmedV2}
-	}
-
-	imgInspect, err = mf.fetchWithRepository(ctx, ref)
-	if err != nil {
-		if _, ok := err.(fallbackError); ok {
-			return nil, err
-		}
-		if registry.ContinueOnError(err) {
-			err = fallbackError{err: err, confirmedV2: mf.confirmedV2}
-		}
-	}
-	return imgInspect, err
-}
-
-func (mf *v2ManifestFetcher) fetchWithRepository(ctx context.Context, ref reference.Named) (*types.ImageInspect, error) {
-	var (
-		manifest    distribution.Manifest
-		tagOrDigest string // Used for logging/progress only
-		tagList     = []string{}
-	)
-
-	manSvc, err := mf.repo.Manifests(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	if _, isTagged := ref.(reference.NamedTagged); !isTagged {
-		ref, err = reference.WithTag(ref, reference.DefaultTag)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	if tagged, isTagged := ref.(reference.NamedTagged); isTagged {
-		// NOTE: not using TagService.Get, since it uses HEAD requests
-		// against the manifests endpoint, which are not supported by
-		// all registry versions.
-		manifest, err = manSvc.Get(ctx, "", client.WithTag(tagged.Tag()))
-		if err != nil {
-			return nil, allowV1Fallback(err)
-		}
-		tagOrDigest = tagged.Tag()
-	} else if digested, isDigested := ref.(reference.Canonical); isDigested {
-		manifest, err = manSvc.Get(ctx, digested.Digest())
-		if err != nil {
-			return nil, err
-		}
-		tagOrDigest = digested.Digest().String()
-	} else {
-		return nil, fmt.Errorf("internal error: reference has neither a tag nor a digest: %s", ref.String())
-	}
-
-	if manifest == nil {
-		return nil, fmt.Errorf("image manifest does not exist for tag or digest %q", tagOrDigest)
-	}
-
-	// If manSvc.Get succeeded, we can be confident that the registry on
-	// the other side speaks the v2 protocol.
-	mf.confirmedV2 = true
-
-	tagList, err = mf.repo.Tags(ctx).All(ctx)
-	if err != nil {
-		// If this repository doesn't exist on V2, we should
-		// permit a fallback to V1.
-		return nil, allowV1Fallback(err)
-	}
-
-	var (
-		image          *image.Image
-		manifestDigest digest.Digest
-	)
-
-	switch v := manifest.(type) {
-	case *schema1.SignedManifest:
-		image, manifestDigest, err = mf.pullSchema1(ctx, ref, v)
-		if err != nil {
-			return nil, err
-		}
-	case *schema2.DeserializedManifest:
-		image, manifestDigest, err = mf.pullSchema2(ctx, ref, v)
-		if err != nil {
-			return nil, err
-		}
-	case *manifestlist.DeserializedManifestList:
-		image, manifestDigest, err = mf.pullManifestList(ctx, ref, v)
-		if err != nil {
-			return nil, err
-		}
-	default:
-		return nil, errors.New("unsupported manifest format")
-	}
-
-	// TODO(runcom)
-	//var showTags bool
-	//if reference.IsNameOnly(ref) {
-	//showTags = true
-	//logrus.Debug("Using default tag: latest")
-	//ref = reference.WithDefaultTag(ref)
-	//}
-	//_ = showTags
-	return makeImageInspect(image, tagOrDigest, manifestDigest, tagList), nil
-}
-
-func (mf *v2ManifestFetcher) pullSchema1(ctx context.Context, ref reference.Named, unverifiedManifest *schema1.SignedManifest) (img *image.Image, manifestDigest digest.Digest, err error) {
-	var verifiedManifest *schema1.Manifest
-	verifiedManifest, err = verifySchema1Manifest(unverifiedManifest, ref)
-	if err != nil {
-		return nil, "", err
-	}
-
-	// remove duplicate layers and check parent chain validity
-	err = fixManifestLayers(verifiedManifest)
-	if err != nil {
-		return nil, "", err
-	}
-
-	// Image history converted to the new format
-	var history []image.History
-
-	// Note that the order of this loop is in the direction of bottom-most
-	// to top-most, so that the downloads slice gets ordered correctly.
-	for i := len(verifiedManifest.FSLayers) - 1; i >= 0; i-- {
-		var throwAway struct {
-			ThrowAway bool `json:"throwaway,omitempty"`
-		}
-		if err := json.Unmarshal([]byte(verifiedManifest.History[i].V1Compatibility), &throwAway); err != nil {
-			return nil, "", err
-		}
-
-		h, err := v1.HistoryFromConfig([]byte(verifiedManifest.History[i].V1Compatibility), throwAway.ThrowAway)
-		if err != nil {
-			return nil, "", err
-		}
-		history = append(history, h)
-	}
-
-	rootFS := image.NewRootFS()
-	configRaw, err := makeRawConfigFromV1Config([]byte(verifiedManifest.History[0].V1Compatibility), rootFS, history)
-
-	config, err := json.Marshal(configRaw)
-	if err != nil {
-		return nil, "", err
-	}
-
-	img, err = image.NewFromJSON(config)
-	if err != nil {
-		return nil, "", err
-	}
-
-	manifestDigest = digest.FromBytes(unverifiedManifest.Canonical)
-
-	return img, manifestDigest, nil
-}
-
-func verifySchema1Manifest(signedManifest *schema1.SignedManifest, ref reference.Named) (m *schema1.Manifest, err error) {
-	// If pull by digest, then verify the manifest digest. NOTE: It is
-	// important to do this first, before any other content validation. If the
-	// digest cannot be verified, don't even bother with those other things.
-	if digested, isCanonical := ref.(reference.Canonical); isCanonical {
-		verifier, err := digest.NewDigestVerifier(digested.Digest())
-		if err != nil {
-			return nil, err
-		}
-		if _, err := verifier.Write(signedManifest.Canonical); err != nil {
-			return nil, err
-		}
-		if !verifier.Verified() {
-			err := fmt.Errorf("image verification failed for digest %s", digested.Digest())
-			logrus.Error(err)
-			return nil, err
-		}
-	}
-	m = &signedManifest.Manifest
-
-	if m.SchemaVersion != 1 {
-		return nil, fmt.Errorf("unsupported schema version %d for %q", m.SchemaVersion, ref.String())
-	}
-	if len(m.FSLayers) != len(m.History) {
-		return nil, fmt.Errorf("length of history not equal to number of layers for %q", ref.String())
-	}
-	if len(m.FSLayers) == 0 {
-		return nil, fmt.Errorf("no FSLayers in manifest for %q", ref.String())
-	}
-	return m, nil
-}
-
-func fixManifestLayers(m *schema1.Manifest) error {
-	imgs := make([]*image.V1Image, len(m.FSLayers))
-	for i := range m.FSLayers {
-		img := &image.V1Image{}
-
-		if err := json.Unmarshal([]byte(m.History[i].V1Compatibility), img); err != nil {
-			return err
-		}
-
-		imgs[i] = img
-		if err := v1.ValidateID(img.ID); err != nil {
-			return err
-		}
-	}
-
-	if imgs[len(imgs)-1].Parent != "" && runtime.GOOS != "windows" {
-		// Windows base layer can point to a base layer parent that is not in manifest.
-		return errors.New("Invalid parent ID in the base layer of the image.")
-	}
-
-	// check general duplicates to error instead of a deadlock
-	idmap := make(map[string]struct{})
-
-	var lastID string
-	for _, img := range imgs {
-		// skip IDs that appear after each other, we handle those later
-		if _, exists := idmap[img.ID]; img.ID != lastID && exists {
-			return fmt.Errorf("ID %+v appears multiple times in manifest", img.ID)
-		}
-		lastID = img.ID
-		idmap[lastID] = struct{}{}
-	}
-
-	// backwards loop so that we keep the remaining indexes after removing items
-	for i := len(imgs) - 2; i >= 0; i-- {
-		if imgs[i].ID == imgs[i+1].ID { // repeated ID. remove and continue
-			m.FSLayers = append(m.FSLayers[:i], m.FSLayers[i+1:]...)
-			m.History = append(m.History[:i], m.History[i+1:]...)
-		} else if imgs[i].Parent != imgs[i+1].ID {
-			return fmt.Errorf("Invalid parent ID. Expected %v, got %v.", imgs[i+1].ID, imgs[i].Parent)
-		}
-	}
-
-	return nil
-}
-
-func (mf *v2ManifestFetcher) pullSchema2(ctx context.Context, ref reference.Named, mfst *schema2.DeserializedManifest) (img *image.Image, manifestDigest digest.Digest, err error) {
-	manifestDigest, err = schema2ManifestDigest(ref, mfst)
-	if err != nil {
-		return nil, "", err
-	}
-
-	target := mfst.Target()
-
-	configChan := make(chan []byte, 1)
-	errChan := make(chan error, 1)
-	var cancel func()
-	ctx, cancel = context.WithCancel(ctx)
-
-	// Pull the image config
-	go func() {
-		configJSON, err := mf.pullSchema2ImageConfig(ctx, target.Digest)
-		if err != nil {
-			errChan <- err
-			cancel()
-			return
-		}
-		configChan <- configJSON
-	}()
-
-	var (
-		configJSON         []byte      // raw serialized image config
-		unmarshalledConfig image.Image // deserialized image config
-	)
-	if runtime.GOOS == "windows" {
-		configJSON, unmarshalledConfig, err = receiveConfig(configChan, errChan)
-		if err != nil {
-			return nil, "", err
-		}
-		if unmarshalledConfig.RootFS == nil {
-			return nil, "", errors.New("image config has no rootfs section")
-		}
-	}
-
-	if configJSON == nil {
-		configJSON, unmarshalledConfig, err = receiveConfig(configChan, errChan)
-		if err != nil {
-			return nil, "", err
-		}
-	}
-
-	img, err = image.NewFromJSON(configJSON)
-	if err != nil {
-		return nil, "", err
-	}
-
-	return img, manifestDigest, nil
-}
-
-func (mf *v2ManifestFetcher) pullSchema2ImageConfig(ctx context.Context, dgst digest.Digest) (configJSON []byte, err error) {
-	blobs := mf.repo.Blobs(ctx)
-	configJSON, err = blobs.Get(ctx, dgst)
-	if err != nil {
-		return nil, err
-	}
-
-	// Verify image config digest
-	verifier, err := digest.NewDigestVerifier(dgst)
-	if err != nil {
-		return nil, err
-	}
-	if _, err := verifier.Write(configJSON); err != nil {
-		return nil, err
-	}
-	if !verifier.Verified() {
-		err := fmt.Errorf("image config verification failed for digest %s", dgst)
-		logrus.Error(err)
-		return nil, err
-	}
-
-	return configJSON, nil
-}
-
-func receiveConfig(configChan <-chan []byte, errChan <-chan error) ([]byte, image.Image, error) {
-	select {
-	case configJSON := <-configChan:
-		var unmarshalledConfig image.Image
-		if err := json.Unmarshal(configJSON, &unmarshalledConfig); err != nil {
-			return nil, image.Image{}, err
-		}
-		return configJSON, unmarshalledConfig, nil
-	case err := <-errChan:
-		return nil, image.Image{}, err
-		// Don't need a case for ctx.Done in the select because cancellation
-		// will trigger an error in p.pullSchema2ImageConfig.
-	}
-}
-
-// allowV1Fallback checks if the error is a possible reason to fallback to v1
-// (even if confirmedV2 has been set already), and if so, wraps the error in
-// a fallbackError with confirmedV2 set to false. Otherwise, it returns the
-// error unmodified.
-func allowV1Fallback(err error) error {
-	switch v := err.(type) {
-	case errcode.Errors:
-		if len(v) != 0 {
-			if v0, ok := v[0].(errcode.Error); ok && registry.ShouldV2Fallback(v0) {
-				return fallbackError{err: err, confirmedV2: false}
-			}
-		}
-	case errcode.Error:
-		if registry.ShouldV2Fallback(v) {
-			return fallbackError{err: err, confirmedV2: false}
-		}
-	}
-	return err
-}
-
-// schema2ManifestDigest computes the manifest digest, and, if pulling by
-// digest, ensures that it matches the requested digest.
-func schema2ManifestDigest(ref reference.Named, mfst distribution.Manifest) (digest.Digest, error) {
-	_, canonical, err := mfst.Payload()
-	if err != nil {
-		return "", err
-	}
-
-	// If pull by digest, then verify the manifest digest.
-	if digested, isDigested := ref.(reference.Canonical); isDigested {
-		verifier, err := digest.NewDigestVerifier(digested.Digest())
-		if err != nil {
-			return "", err
-		}
-		if _, err := verifier.Write(canonical); err != nil {
-			return "", err
-		}
-		if !verifier.Verified() {
-			err := fmt.Errorf("manifest verification failed for digest %s", digested.Digest())
-			logrus.Error(err)
-			return "", err
-		}
-		return digested.Digest(), nil
-	}
-
-	return digest.FromBytes(canonical), nil
-}
-
-// pullManifestList handles "manifest lists" which point to various
-// platform-specifc manifests.
-func (mf *v2ManifestFetcher) pullManifestList(ctx context.Context, ref reference.Named, mfstList *manifestlist.DeserializedManifestList) (img *image.Image, manifestListDigest digest.Digest, err error) {
-	manifestListDigest, err = schema2ManifestDigest(ref, mfstList)
-	if err != nil {
-		return nil, "", err
-	}
-
-	var manifestDigest digest.Digest
-	for _, manifestDescriptor := range mfstList.Manifests {
-		// TODO(aaronl): The manifest list spec supports optional
-		// "features" and "variant" fields. These are not yet used.
-		// Once they are, their values should be interpreted here.
-		if manifestDescriptor.Platform.Architecture == runtime.GOARCH && manifestDescriptor.Platform.OS == runtime.GOOS {
-			manifestDigest = manifestDescriptor.Digest
-			break
-		}
-	}
-
-	if manifestDigest == "" {
-		return nil, "", errors.New("no supported platform found in manifest list")
-	}
-
-	manSvc, err := mf.repo.Manifests(ctx)
-	if err != nil {
-		return nil, "", err
-	}
-
-	manifest, err := manSvc.Get(ctx, manifestDigest)
-	if err != nil {
-		return nil, "", err
-	}
-
-	manifestRef, err := reference.WithDigest(ref, manifestDigest)
-	if err != nil {
-		return nil, "", err
-	}
-
-	switch v := manifest.(type) {
-	case *schema1.SignedManifest:
-		img, _, err = mf.pullSchema1(ctx, manifestRef, v)
-		if err != nil {
-			return nil, "", err
-		}
-	case *schema2.DeserializedManifest:
-		img, _, err = mf.pullSchema2(ctx, manifestRef, v)
-		if err != nil {
-			return nil, "", err
-		}
-	default:
-		return nil, "", errors.New("unsupported manifest format")
-	}
-
-	return img, manifestListDigest, err
-}

docs/skopeo-copy.1.md

@@ -0,0 +1,266 @@
+% skopeo-copy(1)
+
+## NAME
+skopeo\-copy - Copy an image (manifest, filesystem layers, signatures) from one location to another.
+
+## SYNOPSIS
+**skopeo copy** [*options*] _source-image_ _destination-image_
+
+## DESCRIPTION
+Copy an image (manifest, filesystem layers, signatures) from one location to another.
+
+Uses the system's trust policy to validate images, rejects images not trusted by the policy.
+
+  _source-image_ use the "image name" format described above
+
+  _destination-image_ use the "image name" format described above
+
+_source-image_ and _destination-image_ are interpreted completely independently; e.g. the destination name does not
+automatically inherit any parts of the source name.
+
+## OPTIONS
+
+**--additional-tag**=_strings_
+
+Additional tags (supports docker-archive).
+
+**--all**, **-a**
+
+If _source-image_ refers to a list of images, instead of copying just the image which matches the current OS and
+architecture (subject to the use of the global --override-os, --override-arch and --override-variant options), attempt to copy all of
+the images in the list, and the list itself.
+
+**--authfile** _path_
+
+Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`.
+If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.
+
+Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
+environment variable. `export REGISTRY_AUTH_FILE=path`
+
+**--src-authfile** _path_
+
+Path of the authentication file for the source registry. Uses path given by `--authfile`, if not provided.
+
+**--dest-authfile** _path_
+
+Path of the authentication file for the destination registry. Uses path given by `--authfile`, if not provided.
+
+**--dest-shared-blob-dir** _directory_
+
+Directory to use to share blobs across OCI repositories.
+
+**--digestfile** _path_
+
+After copying the image, write the digest of the resulting image to the file.
+
+**--preserve-digests**
+
+Preserve the digests during copying. Fail if the digest cannot be preserved.
+
+**--encrypt-layer** _ints_
+
+*Experimental* the 0-indexed layer indices, with support for negative indexing (e.g. 0 is the first layer, -1 is the last layer)
+
+**--format**, **-f** _manifest-type_
+
+MANIFEST TYPE (oci, v2s1, or v2s2) to use in the destination (default is manifest type of source, with fallbacks)
+
+**--help**, **-h**
+
+Print usage statement
+
+**--multi-arch**
+
+Control what is copied if _source-image_ refers to a multi-architecture image. Default is system.
+
+Options:
+- system: Copy only the image that matches the system architecture
+- all: Copy the full multi-architecture image
+- index-only: Copy only the index
+
+The index-only option usually fails unless the referenced per-architecture images are already present in the destination, or the target registry supports sparse indexes.
+
+**--quiet**, **-q**
+
+Suppress output information when copying images.
+
+**--remove-signatures**
+
+Do not copy signatures, if any, from _source-image_. Necessary when copying a signed image to a destination which does not support signatures.
+
+**--sign-by**=_key-id_
+
+Add a signature using that key ID for an image name corresponding to _destination-image_
+
+**--sign-passphrase-file**=_path_
+
+The passphare to use when signing with the key ID from `--sign-by`. Only the first line will be read. A passphrase stored in a file is of questionable security if other users can read this file. Do not use this option if at all avoidable.
+
+**--src-shared-blob-dir** _directory_
+
+Directory to use to share blobs across OCI repositories.
+
+**--encryption-key** _protocol:keyfile_
+
+Specifies the encryption protocol, which can be JWE (RFC7516), PGP (RFC4880), and PKCS7 (RFC2315) and the key material required for image encryption. For instance, jwe:/path/to/key.pem or pgp:admin@example.com or pkcs7:/path/to/x509-file.
+
+**--decryption-key** _key[:passphrase]_
+
+Key to be used for decryption of images. Key can point to keys and/or certificates. Decryption will be tried with all keys. If the key is protected by a passphrase, it is required to be passed in the argument and omitted otherwise.
+
+**--src-creds** _username[:password]_
+
+Credentials for accessing the source registry.
+
+**--dest-compress**
+
+Compress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source).
+
+**--dest-decompress**
+
+Decompress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source).
+
+**--dest-oci-accept-uncompressed-layers**
+
+Allow uncompressed image layers when saving to an OCI image using the 'oci' transport. (default is to compress things that aren't compressed).
+
+**--dest-creds** _username[:password]_
+
+Credentials for accessing the destination registry.
+
+**--src-cert-dir** _path_
+
+Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the source registry or daemon.
+
+**--src-no-creds**
+
+Access the registry anonymously.
+
+**--src-tls-verify**=_bool_
+
+Require HTTPS and verify certificates when talking to container source registry or daemon. Default to source registry setting.
+
+**--dest-cert-dir** _path_
+
+Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the destination registry or daemon.
+
+**--dest-no-creds**
+
+Access the registry anonymously.
+
+**--dest-tls-verify**=_bool_
+
+Require HTTPS and verify certificates when talking to container destination registry or daemon. Default to destination registry setting.
+
+**--src-daemon-host** _host_
+
+Copy from docker daemon at _host_. If _host_ starts with `tcp://`, HTTPS is enabled by default. To use plain HTTP, use the form `http://` (default is `unix:///var/run/docker.sock`).
+
+**--dest-daemon-host** _host_
+
+Copy to docker daemon at _host_. If _host_ starts with `tcp://`, HTTPS is enabled by default. To use plain HTTP, use the form `http://` (default is `unix:///var/run/docker.sock`).
+
+Existing signatures, if any, are preserved as well.
+
+**--dest-compress-format** _format_
+
+Specifies the compression format to use.  Supported values are: `gzip` and `zstd`.
+
+**--dest-compress-level** _format_
+
+Specifies the compression level to use.  The value is specific to the compression algorithm used, e.g. for zstd the accepted values are in the range 1-20 (inclusive), while for gzip it is 1-9 (inclusive).
+
+**--src-registry-token** _token_
+
+Bearer token for accessing the source registry.
+
+**--dest-registry-token** _token_
+
+Bearer token for accessing the destination registry.
+
+**--dest-precompute-digests**
+
+Precompute digests to ensure layers are not uploaded that already exist on the destination registry. Layers with initially unknown digests (ex. compressing "on the fly") will be temporarily streamed to disk.
+
+**--retry-times**
+
+The number of times to retry. Retry wait time will be exponentially increased based on the number of failed attempts.
+
+**--src-username**
+
+The username to access the source registry.
+
+**--src-password**
+
+The password to access the source registry.
+
+**--dest-username**
+
+The username to access the destination registry.
+
+**--dest-password**
+
+The password to access the destination registry.
+
+## EXAMPLES
+
+To just copy an image from one registry to another:
+```sh
+$ skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest
+```
+
+To copy the layers of the docker.io busybox image to a local directory:
+```sh
+$ mkdir -p /var/lib/images/busybox
+$ skopeo copy docker://busybox:latest dir:/var/lib/images/busybox
+$ ls /var/lib/images/busybox/*
+  /tmp/busybox/2b8fd9751c4c0f5dd266fcae00707e67a2545ef34f9a29354585f93dac906749.tar
+  /tmp/busybox/manifest.json
+  /tmp/busybox/8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar
+```
+
+To copy and sign an image:
+
+```sh
+# skopeo copy --sign-by dev@example.com containers-storage:example/busybox:streaming docker://example/busybox:gold
+```
+
+To encrypt an image:
+```sh
+skopeo copy docker://docker.io/library/nginx:1.17.8 oci:local_nginx:1.17.8
+
+openssl genrsa -out private.key 1024
+openssl rsa -in private.key -pubout > public.key
+
+skopeo  copy --encryption-key jwe:./public.key oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
+```
+
+To decrypt an image:
+```sh
+skopeo copy --decryption-key ./private.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
+```
+
+To copy encrypted image without decryption:
+```sh
+skopeo copy oci:try-encrypt:encrypted oci:try-encrypt-copy:encrypted
+```
+
+To decrypt an image that requires more than one key:
+```sh
+skopeo copy --decryption-key ./private1.key --decryption-key ./private2.key --decryption-key ./private3.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
+```
+
+Container images can also be partially encrypted by specifying the index of the layer. Layers are 0-indexed indices, with support for negative indexing. i.e. 0 is the first layer, -1 is the last layer.
+
+Let's say out of 3 layers that the image `docker.io/library/nginx:1.17.8` is made up of, we only want to encrypt the 2nd layer,
+```sh
+skopeo  copy --encryption-key jwe:./public.key --encrypt-layer 1 oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
+```
+
+## SEE ALSO
+skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5), containers-policy.json(5), containers-transports(5), containers-signature(5)
+
+## AUTHORS
+
+Antonio Murdaca <runcom@redhat.com>, Miloslav Trmac <mitr@redhat.com>, Jhon Honce <jhonce@redhat.com>

docs/skopeo-delete.1.md

@@ -0,0 +1,89 @@
+% skopeo-delete(1)
+
+## NAME
+skopeo\-delete - Mark the _image-name_ for later deletion by the registry's garbage collector.
+
+## SYNOPSIS
+**skopeo delete** [*options*] _image-name_
+
+Mark _image-name_ for deletion.  To release the allocated disk space, you must login to the container registry server and execute the container registry garbage collector. E.g.,
+
+```
+/usr/bin/registry garbage-collect /etc/docker-distribution/registry/config.yml
+
+Note: sometimes the config.yml is stored in /etc/docker/registry/config.yml
+
+If you are running the container registry inside of a container you would execute something like:
+
+$ docker exec -it registry /usr/bin/registry garbage-collect /etc/docker-distribution/registry/config.yml
+
+```
+
+## OPTIONS
+
+**--authfile** _path_
+
+Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`.
+If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.
+
+**--creds** _username[:password]_
+
+Credentials for accessing the registry.
+
+**--cert-dir** _path_
+
+Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the registry.
+
+**--daemon-host** _host_
+
+Use docker daemon host at _host_ (`docker-daemon:` transport only)
+
+**--help**, **-h**
+
+Print usage statement
+
+**--no-creds**
+
+Access the registry anonymously.
+
+Additionally, the registry must allow deletions by setting `REGISTRY_STORAGE_DELETE_ENABLED=true` for the registry daemon.
+
+**--registry-token** _token_
+
+Bearer token for accessing the registry.
+
+**--retry-times**
+
+The number of times to retry. Retry wait time will be exponentially increased based on the number of failed attempts.
+
+**--shared-blob-dir** _directory_
+
+Directory to use to share blobs across OCI repositories.
+
+**--tls-verify**=_bool_
+
+Require HTTPS and verify certificates when talking to the container registry or daemon. Default to registry.conf setting.
+
+**--username**
+
+The username to access the registry.
+
+**--password**
+
+The password to access the registry.
+
+## EXAMPLES
+
+Mark image example/pause for deletion from the registry.example.com registry:
+```sh
+$ skopeo delete --force docker://registry.example.com/example/pause:latest
+```
+See above for additional details on using the command **delete**.
+
+
+## SEE ALSO
+skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5)
+
+## AUTHORS
+
+Antonio Murdaca <runcom@redhat.com>, Miloslav Trmac <mitr@redhat.com>, Jhon Honce <jhonce@redhat.com>

docs/skopeo-inspect.1.md

@@ -0,0 +1,167 @@
+% skopeo-inspect(1)
+
+## NAME
+skopeo\-inspect - Return low-level information about _image-name_ in a registry.
+
+## SYNOPSIS
+**skopeo inspect** [*options*] _image-name_
+
+## DESCRIPTION
+
+Return low-level information about _image-name_ in a registry.
+See [skopeo(1)](skopeo.1.md) for the format of _image-name_.
+
+The default output includes data from various sources: user input (**Name**), the remote repository, if any (**RepoTags**), the top-level manifest (**Digest**),
+and a per-architecture/OS image matching the current run-time environment (most other values).
+To see values for a different architecture/OS, use the **--override-os** / **--override-arch** options documented in [skopeo(1)](skopeo.1.md).
+
+## OPTIONS
+
+**--authfile** _path_
+
+Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`.
+If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.
+
+**--cert-dir** _path_
+
+Use certificates at _path_ (\*.crt, \*.cert, \*.key) to connect to the registry.
+
+**--config**
+
+Output configuration in OCI format, default is to format in JSON format.
+
+**--creds** _username[:password]_
+
+Username and password for accessing the registry.
+
+**--daemon-host** _host_
+
+Use docker daemon host at _host_ (`docker-daemon:` transport only)
+
+**--format**, **-f**=*format*
+
+Format the output using the given Go template.
+The keys of the returned JSON can be used as the values for the --format flag (see examples below).
+
+**--help**, **-h**
+
+Print usage statement
+
+**--no-creds**
+
+Access the registry anonymously.
+
+**--raw**
+
+Output raw manifest or config data depending on --config option.
+The --format option is not supported with --raw option.
+
+**--registry-token** _Bearer token_
+
+Registry token for accessing the registry.
+
+**--retry-times**
+
+The number of times to retry; retry wait time will be exponentially increased based on the number of failed attempts.
+
+**--shared-blob-dir** _directory_
+
+Directory to use to share blobs across OCI repositories.
+
+**--tls-verify**=_bool_
+
+Require HTTPS and verify certificates when talking to the container registry or daemon. Default to registry.conf setting.
+
+**--username**
+
+The username to access the registry.
+
+**--password**
+
+The password to access the registry.
+
+**--no-tags**, **-n**
+
+Do not list the available tags from the repository in the output. When `true`, the `RepoTags` array will be empty.  Defaults to `false`, which includes all available tags.
+
+## EXAMPLES
+
+To review information for the image fedora from the docker.io registry:
+```sh
+$ skopeo inspect docker://docker.io/fedora
+{
+    "Name": "docker.io/library/fedora",
+    "Digest": "sha256:a97914edb6ba15deb5c5acf87bd6bd5b6b0408c96f48a5cbd450b5b04509bb7d",
+    "RepoTags": [
+	"20",
+	"21",
+	"22",
+	"23",
+	"24",
+	"heisenbug",
+	"latest",
+	"rawhide"
+    ],
+    "Created": "2016-06-20T19:33:43.220526898Z",
+    "DockerVersion": "1.10.3",
+    "Labels": {},
+    "Architecture": "amd64",
+    "Os": "linux",
+    "Layers": [
+	"sha256:7c91a140e7a1025c3bc3aace4c80c0d9933ac4ee24b8630a6b0b5d8b9ce6b9d4"
+    ]
+}
+```
+
+To inspect python from the docker.io registry and not show the available tags:
+```sh
+$ skopeo inspect --no-tags docker://docker.io/library/python
+{
+    "Name": "docker.io/library/python",
+    "Digest": "sha256:5ca194a80ddff913ea49c8154f38da66a41d2b73028c5cf7e46bc3c1d6fda572",
+    "RepoTags": [],
+    "Created": "2021-10-05T23:40:54.936108045Z",
+    "DockerVersion": "20.10.7",
+    "Labels": null,
+    "Architecture": "amd64",
+    "Os": "linux",
+    "Layers": [
+        "sha256:df5590a8898bedd76f02205dc8caa5cc9863267dbcd8aac038bcd212688c1cc7",
+        "sha256:705bb4cb554eb7751fd21a994f6f32aee582fbe5ea43037db6c43d321763992b",
+        "sha256:519df5fceacdeaadeec563397b1d9f4d7c29c9f6eff879739cab6f0c144f49e1",
+        "sha256:ccc287cbeddc96a0772397ca00ec85482a7b7f9a9fac643bfddd87b932f743db",
+        "sha256:e3f8e6af58ed3a502f0c3c15dce636d9d362a742eb5b67770d0cfcb72f3a9884",
+        "sha256:aebed27b2d86a5a3a2cbe186247911047a7e432b9d17daad8f226597c0ea4276",
+        "sha256:54c32182bdcc3041bf64077428467109a70115888d03f7757dcf614ff6d95ebe",
+        "sha256:cc8b7caedab13af07adf4836e13af2d4e9e54d794129b0fd4c83ece6b1112e86",
+        "sha256:462c3718af1d5cdc050cfba102d06c26f78fe3b738ce2ca2eb248034b1738945"
+    ],
+    "Env": [
+        "PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+        "LANG=C.UTF-8",
+        "GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D",
+        "PYTHON_VERSION=3.10.0",
+        "PYTHON_PIP_VERSION=21.2.4",
+        "PYTHON_SETUPTOOLS_VERSION=57.5.0",
+        "PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/d781367b97acf0ece7e9e304bf281e99b618bf10/public/get-pip.py",
+        "PYTHON_GET_PIP_SHA256=01249aa3e58ffb3e1686b7141b4e9aac4d398ef4ac3012ed9dff8dd9f685ffe0"
+    ]
+}
+```
+
+```
+$ /bin/skopeo inspect --config docker://registry.fedoraproject.org/fedora --format "{{ .Architecture }}"
+amd64
+```
+
+```
+$ /bin/skopeo inspect --format '{{ .Env }}' docker://registry.access.redhat.com/ubi8
+[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin container=oci]
+```
+
+# SEE ALSO
+skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5)
+
+## AUTHORS
+
+Antonio Murdaca <runcom@redhat.com>, Miloslav Trmac <mitr@redhat.com>, Jhon Honce <jhonce@redhat.com>

docs/skopeo-list-tags.1.md

@@ -0,0 +1,129 @@
+% skopeo-list-tags(1)
+
+## NAME
+skopeo\-list\-tags - List tags in the transport-specific image repository.
+
+## SYNOPSIS
+**skopeo list-tags** [*options*] _repository-name_
+
+Return a list of tags from _repository-name_ in a registry.
+
+  _repository-name_ name of repository to retrieve tag listing from
+
+## OPTIONS
+
+**--authfile** _path_
+
+Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`.
+  If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.
+
+**--creds** _username[:password]_ for accessing the registry.
+
+**--cert-dir** _path_
+
+Use certificates at _path_ (\*.crt, \*.cert, \*.key) to connect to the registry.
+
+**--help**, **-h**
+
+Print usage statement
+
+**--no-creds**
+
+Access the registry anonymously.
+
+**--registry-token** _Bearer token_
+
+Bearer token for accessing the registry.
+
+**--retry-times**
+
+The number of times to retry. Retry wait time will be exponentially increased based on the number of failed attempts.
+
+**--tls-verify**=_bool_
+
+Require HTTPS and verify certificates when talking to the container registry or daemon. Default to registry.conf setting.
+
+**--username**
+
+The username to access the registry.
+
+**--password**
+
+The password to access the registry.
+
+## REPOSITORY NAMES
+
+Repository names are transport-specific references as each transport may have its own concept of a "repository" and "tags". Currently, only the Docker transport is supported.
+
+This commands refers to repositories using a _transport_`:`_details_ format. The following formats are supported:
+
+  **docker://**_docker-repository-reference_
+  A repository in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in either `$XDG_RUNTIME_DIR/containers/auth.json`, which is set using `(skopeo login)`. If the authorization state is not found there, `$HOME/.docker/config.json` is checked, which is set using `(docker login)`.
+  A _docker-repository-reference_ is of the form: **registryhost:port/repositoryname** which is similar to an _image-reference_ but with no tag or digest allowed as the last component (e.g no `:latest` or `@sha256:xyz`)
+
+      Examples of valid docker-repository-references:
+        "docker.io/myuser/myrepo"
+        "docker.io/nginx"
+        "docker.io/library/fedora"
+        "localhost:5000/myrepository"
+
+      Examples of invalid references:
+        "docker.io/nginx:latest"
+        "docker.io/myuser/myimage:v1.0"
+        "docker.io/myuser/myimage@sha256:f48c4cc192f4c3c6a069cb5cca6d0a9e34d6076ba7c214fd0cc3ca60e0af76bb"
+
+
+## EXAMPLES
+
+### Docker Transport
+To get the list of tags in the "fedora" repository from the docker.io registry (the repository name expands to "library/fedora" per docker transport canonical form):
+```sh
+$ skopeo list-tags docker://docker.io/fedora
+{
+    "Repository": "docker.io/library/fedora",
+    "Tags": [
+        "20",
+        "21",
+        "22",
+        "23",
+        "24",
+        "25",
+        "26-modular",
+        "26",
+        "27",
+        "28",
+        "29",
+        "30",
+        "31",
+        "32",
+        "branched",
+        "heisenbug",
+        "latest",
+        "modular",
+        "rawhide"
+    ]
+}
+
+```
+
+To list the tags in a local host docker/distribution registry on port 5000, in this case for the "fedora" repository:
+
+```sh
+$ skopeo list-tags docker://localhost:5000/fedora
+{
+    "Repository": "localhost:5000/fedora",
+    "Tags": [
+        "latest",
+        "30",
+        "31"
+    ]
+}
+
+```
+
+# SEE ALSO
+skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5)
+
+## AUTHORS
+
+Zach Hill <zach@anchore.com>

docs/skopeo-login.1.md

@@ -0,0 +1,103 @@
+% skopeo-login(1)
+
+## NAME
+skopeo\-login - Login to a container registry.
+
+## SYNOPSIS
+**skopeo login** [*options*] _registry_
+
+## DESCRIPTION
+**skopeo login** logs into a specified registry server with the correct username
+and password. **skopeo login** reads in the username and password from STDIN.
+The username and password can also be set using the **username** and **password** flags.
+The path of the authentication file can be specified by the user by setting the **authfile**
+flag. The default path used is **${XDG\_RUNTIME\_DIR}/containers/auth.json**.
+
+## OPTIONS
+
+**--password**, **-p**=*password*
+
+Password for registry
+
+**--password-stdin**
+
+Take the password from stdin
+
+**--username**, **-u**=*username*
+
+Username for registry
+
+**--authfile**=*path*
+
+Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json
+
+Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
+environment variable. `export REGISTRY_AUTH_FILE=path`
+
+**--get-login**
+
+Return the logged-in user for the registry. Return error if no login is found.
+
+**--cert-dir**=*path*
+
+Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry.
+Default certificates directory is _/etc/containers/certs.d_.
+
+**--help**, **-h**
+
+Print usage statement
+
+**--tls-verify**=_bool_
+
+Require HTTPS and verify certificates when talking to the container registry or daemon. Default to registry.conf setting.
+
+**--verbose**, **-v**
+
+Write more detailed information to stdout
+
+## EXAMPLES
+
+```
+$ skopeo login docker.io
+Username: testuser
+Password:
+Login Succeeded!
+```
+
+```
+$ skopeo login -u testuser -p testpassword localhost:5000
+Login Succeeded!
+```
+
+```
+$ skopeo login --authfile authdir/myauths.json docker.io
+Username: testuser
+Password:
+Login Succeeded!
+```
+
+```
+$ skopeo login --tls-verify=false -u test -p test localhost:5000
+Login Succeeded!
+```
+
+```
+$ skopeo login --cert-dir /etc/containers/certs.d/ -u foo -p bar localhost:5000
+Login Succeeded!
+```
+
+```
+$ skopeo login -u testuser  --password-stdin < testpassword.txt docker.io
+Login Succeeded!
+```
+
+```
+$ echo $testpassword | skopeo login -u testuser --password-stdin docker.io
+Login Succeeded!
+```
+
+## SEE ALSO
+skopeo(1), skopeo-logout(1), containers-auth.json(5), containers-registries.conf(5), containers-certs.d.5.md
+
+## HISTORY
+May 2020, Originally compiled by Qi Wang <qiwan@redhat.com>

docs/skopeo-logout.1.md

@@ -0,0 +1,57 @@
+% skopeo-logout(1)
+
+## NAME
+skopeo\-logout - Logout of a container registry.
+
+## SYNOPSIS
+**skopeo logout** [*options*] _registry_
+
+## DESCRIPTION
+**skopeo logout** logs out of a specified registry server by deleting the cached credentials
+stored in the **auth.json** file. The path of the authentication file can be overridden by the user by setting the **authfile** flag.
+The default path used is **${XDG\_RUNTIME\_DIR}/containers/auth.json**.
+All the cached credentials can be removed by setting the **all** flag.
+
+## OPTIONS
+
+**--authfile**=*path*
+
+Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json
+
+Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
+environment variable. `export REGISTRY_AUTH_FILE=path`
+
+**--all**, **-a**
+
+Remove the cached credentials for all registries in the auth file
+
+**--help**, **-h**
+
+Print usage statement
+
+**--tls-verify**=_bool_
+
+Require HTTPS and verify certificates when talking to the container registry or daemon. Default to registry.conf setting.
+
+## EXAMPLES
+
+```
+$ skopeo logout docker.io
+Remove login credentials for docker.io
+```
+
+```
+$ skopeo logout --authfile authdir/myauths.json docker.io
+Remove login credentials for docker.io
+```
+
+```
+$ skopeo logout --all
+Remove login credentials for all registries
+```
+
+## SEE ALSO
+skopeo(1), skopeo-login(1), containers-auth.json(5)
+
+## HISTORY
+May 2020, Originally compiled by Qi Wang <qiwan@redhat.com>

docs/skopeo-manifest-digest.1.md

@@ -0,0 +1,31 @@
+% skopeo-manifest-digest(1)
+
+## NAME
+skopeo\-manifest\-digest - Compute a manifest digest for a manifest-file and write it to standard output.
+
+## SYNOPSIS
+**skopeo manifest-digest** _manifest-file_
+
+## DESCRIPTION
+
+Compute a manifest digest of _manifest-file_ and write it to standard output.
+
+## OPTIONS
+
+**--help**, **-h**
+
+Print usage statement
+
+## EXAMPLES
+
+```sh
+$ skopeo manifest-digest manifest.json
+sha256:a59906e33509d14c036c8678d687bd4eec81ed7c4b8ce907b888c607f6a1e0e6
+```
+
+## SEE ALSO
+skopeo(1)
+
+## AUTHORS
+
+Antonio Murdaca <runcom@redhat.com>, Miloslav Trmac <mitr@redhat.com>, Jhon Honce <jhonce@redhat.com>

docs/skopeo-standalone-sign.1.md

@@ -0,0 +1,48 @@
+% skopeo-standalone-sign(1)
+
+## NAME
+skopeo\-standalone-sign - Debugging tool - Publish and sign an image in one step.
+
+## SYNOPSIS
+**skopeo standalone-sign** [*options*] _manifest_ _docker-reference_ _key-fingerprint_ **--output**|**-o** _signature_
+
+## DESCRIPTION
+This is primarily a debugging tool, useful for special cases, and usually should not be a part of your normal operational workflow; use `skopeo copy --sign-by` instead to publish and sign an image in one step.
+
+  _manifest_ Path to a file containing the image manifest
+
+  _docker-reference_ A docker reference to identify the image with
+
+  _key-fingerprint_ Key identity to use for signing
+
+## OPTIONS
+
+**--help**, **-h**
+
+Print usage statement
+
+**--output**, **-o** _output file_
+
+Write signature to _output file_.
+
+**--passphrase-file**=_path_
+
+The passphare to use when signing with the key ID from `--sign-by`. Only the first line will be read. A passphrase stored in a file is of questionable security if other users can read this file. Do not use this option if at all avoidable.
+
+## EXAMPLES
+
+```sh
+$ skopeo standalone-sign busybox-manifest.json registry.example.com/example/busybox 1D8230F6CDB6A06716E414C1DB72F2188BB46CC8 --output busybox.signature
+$
+```
+
+## NOTES
+
+This command is intended for use with local signatures e.g. OpenPGP ( other signature formats may be added in the future ), as per containers-signature(5). Furthermore, this command does **not** interact with the artifacts generated by Docker Content Trust (DCT). For more information, please see [containers-signature(5)](https://github.com/containers/image/blob/main/docs/containers-signature.5.md).
+
+## SEE ALSO
+skopeo(1), skopeo-copy(1), containers-signature(5)
+
+## AUTHORS
+
+Antonio Murdaca <runcom@redhat.com>, Miloslav Trmac <mitr@redhat.com>, Jhon Honce <jhonce@redhat.com>

docs/skopeo-standalone-verify.1.md

@@ -0,0 +1,47 @@
+% skopeo-standalone-verify(1)
+
+## NAME
+skopeo\-standalone\-verify - Verify an image signature.
+
+## SYNOPSIS
+**skopeo standalone-verify** _manifest_ _docker-reference_ _key-fingerprint_ _signature_
+
+## DESCRIPTION
+
+Verify a signature using local files; the digest will be printed on success. This is primarily a debugging tool, useful for special cases,
+and usually should not be a part of your normal operational workflow. Additionally, consider configuring a signature verification policy file,
+as per containers-policy.json(5).
+
+  _manifest_ Path to a file containing the image manifest
+
+  _docker-reference_ A docker reference expected to identify the image in the signature
+
+  _key-fingerprint_ Expected identity of the signing key
+
+  _signature_ Path to signature file
+
+**Note:** If you do use this, make sure that the image can not be changed at the source location between the times of its verification and use.
+
+## OPTIONS
+
+**--help**, **-h**
+
+Print usage statement
+
+## EXAMPLES
+
+```sh
+$ skopeo standalone-verify busybox-manifest.json registry.example.com/example/busybox 1D8230F6CDB6A06716E414C1DB72F2188BB46CC8  busybox.signature
+Signature verified, digest sha256:20bf21ed457b390829cdbeec8795a7bea1626991fda603e0d01b4e7f60427e55
+```
+
+## NOTES
+
+This command is intended for use with local signatures e.g. OpenPGP ( other signature formats may be added in the future ), as per containers-signature(5). Furthermore, this command does **not** interact with the artifacts generated by Docker Content Trust (DCT). For more information, please see [containers-signature(5)](https://github.com/containers/image/blob/main/docs/containers-signature.5.md).
+
+## SEE ALSO
+skopeo(1), containers-signature(5), containers-policy.json(5)
+
+## AUTHORS
+
+Antonio Murdaca <runcom@redhat.com>, Miloslav Trmac <mitr@redhat.com>, Jhon Honce <jhonce@redhat.com>

docs/skopeo-sync.1.md

@@ -0,0 +1,221 @@
+% skopeo-sync(1)
+
+## NAME
+skopeo\-sync - Synchronize images between container registries and local directories.
+
+
+## SYNOPSIS
+**skopeo sync** [*options*] --src _transport_ --dest _transport_ _source_ _destination_
+
+## DESCRIPTION
+Synchronize images between container registries and local directories.
+The synchronization is achieved by copying all the images found at _source_ to _destination_.
+
+Useful to synchronize a local container registry mirror, and to to populate registries running inside of air-gapped environments.
+
+Differently from other skopeo commands, skopeo sync requires both source and destination transports to be specified separately from _source_ and _destination_.
+One of the problems of prefixing a destination with its transport is that, the registry `docker://hostname:port` would be wrongly interpreted as an image reference at a non-fully qualified registry, with `hostname` and `port` the image name and tag.
+
+Available _source_ transports:
+ - _docker_ (i.e. `--src docker`): _source_ is a repository hosted on a container registry (e.g.: `registry.example.com/busybox`).
+ If no image tag is specified, skopeo sync copies all the tags found in that repository.
+ - _dir_ (i.e. `--src dir`): _source_ is a local directory path (e.g.: `/media/usb/`). Refer to skopeo(1) **dir:**_path_ for the local image format.
+ - _yaml_ (i.e. `--src yaml`): _source_ is local YAML file path.
+ The YAML file should specify the list of images copied from different container registries (local directories are not supported). Refer to EXAMPLES for the file format.
+
+Available _destination_ transports:
+ - _docker_ (i.e. `--dest docker`): _destination_ is a container registry (e.g.: `my-registry.local.lan`).
+ - _dir_ (i.e. `--dest dir`): _destination_ is a local directory path (e.g.: `/media/usb/`).
+ One directory per source 'image:tag' is created for each copied image.
+
+When the `--scoped` option is specified, images are prefixed with the source image path so that multiple images with the same
+name can be stored at _destination_.
+
+## OPTIONS
+**--all**, **-a**
+If one of the images in __src__ refers to a list of images, instead of copying just the image which matches the current OS and
+architecture (subject to the use of the global --override-os, --override-arch and --override-variant options), attempt to copy all of
+the images in the list, and the list itself.
+
+**--authfile** _path_
+
+Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`.
+If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.
+
+**--src-authfile** _path_
+
+Path of the authentication file for the source registry. Uses path given by `--authfile`, if not provided.
+
+**--dest-authfile** _path_
+
+Path of the authentication file for the destination registry. Uses path given by `--authfile`, if not provided.
+
+**--src**, **-s** _transport_ Transport for the source repository.
+
+**--dest**, **-d** _transport_ Destination transport.
+
+**--format**, **-f** _manifest-type_ Manifest Type (oci, v2s1, or v2s2) to use when syncing image(s) to a destination (default is manifest type of source, with fallbacks).
+
+**--help**, **-h**
+
+Print usage statement.
+
+**--scoped** Prefix images with the source image path, so that multiple images with the same name can be stored at _destination_.
+
+**--preserve-digests** Preserve the digests during copying. Fail if the digest cannot be preserved.
+
+**--remove-signatures** Do not copy signatures, if any, from _source-image_. This is necessary when copying a signed image to a destination which does not support signatures.
+
+**--sign-by**=_key-id_ Add a signature using that key ID for an image name corresponding to _destination-image_.
+
+**--sign-passphrase-file**=_path_ The passphare to use when signing with the key ID from `--sign-by`. Only the first line will be read. A passphrase stored in a file is of questionable security if other users can read this file. Do not use this option if at all avoidable.
+
+**--src-creds** _username[:password]_ for accessing the source registry.
+
+**--dest-creds** _username[:password]_ for accessing the destination registry.
+
+**--src-cert-dir** _path_ Use certificates (*.crt, *.cert, *.key) at _path_ to connect to the source registry or daemon.
+
+**--src-no-creds** Access the registry anonymously.
+
+**--src-tls-verify**=_bool_ Require HTTPS and verify certificates when talking to a container source registry or daemon. Default to source registry entry in registry.conf setting.
+
+**--dest-cert-dir** _path_ Use certificates (*.crt, *.cert, *.key) at _path_ to connect to the destination registry or daemon.
+
+**--dest-no-creds** Access the registry anonymously.
+
+**--dest-tls-verify**=_bool_ Require HTTPS and verify certificates when talking to a container destination registry or daemon. Default to destination registry entry in registry.conf setting.
+
+**--src-registry-token** _Bearer token_ for accessing the source registry.
+
+**--dest-registry-token** _Bearer token_ for accessing the destination registry.
+
+**--retry-times**  the number of times to retry, retry wait time will be exponentially increased based on the number of failed attempts.
+
+**--keep-going**
+If any errors occur during copying of images, those errors are logged and the process continues syncing rest of the images and finally fails at the end.
+
+**--src-username**
+
+The username to access the source registry.
+
+**--src-password**
+
+The password to access the source registry.
+
+**--dest-username**
+
+The username to access the destination registry.
+
+**--dest-password**
+
+The password to access the destination registry.
+
+## EXAMPLES
+
+### Synchronizing to a local directory
+```
+$ skopeo sync --src docker --dest dir registry.example.com/busybox /media/usb
+```
+Images are located at:
+```
+/media/usb/busybox:1-glibc
+/media/usb/busybox:1-musl
+/media/usb/busybox:1-ubuntu
+...
+/media/usb/busybox:latest
+```
+
+### Synchronizing to a container registry from local
+Images are located at:
+```
+/media/usb/busybox:1-glibc
+```
+Sync run
+```
+$ skopeo sync --src dir --dest docker /media/usb/busybox:1-glibc my-registry.local.lan/test/
+```
+Destination registry content:
+```
+REPO                                 TAGS
+my-registry.local.lan/test/busybox   1-glibc
+```
+
+### Synchronizing to a local directory, scoped
+```
+$ skopeo sync --src docker --dest dir --scoped registry.example.com/busybox /media/usb
+```
+Images are located at:
+```
+/media/usb/registry.example.com/busybox:1-glibc
+/media/usb/registry.example.com/busybox:1-musl
+/media/usb/registry.example.com/busybox:1-ubuntu
+...
+/media/usb/registry.example.com/busybox:latest
+```
+
+### Synchronizing to a container registry
+```
+skopeo sync --src docker --dest docker registry.example.com/busybox my-registry.local.lan
+```
+Destination registry content:
+```
+REPO                         TAGS
+registry.local.lan/busybox   1-glibc, 1-musl, 1-ubuntu, ..., latest
+```
+
+### Synchronizing to a container registry keeping the repository
+```
+skopeo sync --src docker --dest docker registry.example.com/repo/busybox my-registry.local.lan/repo
+```
+Destination registry content:
+```
+REPO                              TAGS
+registry.local.lan/repo/busybox   1-glibc, 1-musl, 1-ubuntu, ..., latest
+```
+
+### YAML file content (used _source_ for `**--src yaml**`)
+
+```yaml
+registry.example.com:
+    images:
+        busybox: []
+        redis:
+            - "1.0"
+            - "2.0"
+            - "sha256:0000000000000000000000000000000011111111111111111111111111111111"
+    images-by-tag-regex:
+        nginx: ^1\.13\.[12]-alpine-perl$
+    credentials:
+        username: john
+        password: this is a secret
+    tls-verify: true
+    cert-dir: /home/john/certs
+quay.io:
+    tls-verify: false
+    images:
+        coreos/etcd:
+            - latest
+```
+If the yaml filename is `sync.yml`, sync run:
+```
+skopeo sync --src yaml --dest docker sync.yml my-registry.local.lan/repo/
+```
+This will copy the following images:
+- Repository `registry.example.com/busybox`: all images, as no tags are specified.
+- Repository `registry.example.com/redis`: images tagged "1.0" and "2.0" along with image with digest "sha256:0000000000000000000000000000000011111111111111111111111111111111".
+- Repository `registry.example.com/nginx`: images tagged "1.13.1-alpine-perl" and "1.13.2-alpine-perl".
+- Repository `quay.io/coreos/etcd`: images tagged "latest".
+
+For the registry `registry.example.com`, the "john"/"this is a secret" credentials are used, with server TLS certificates located at `/home/john/certs`.
+
+TLS verification is normally enabled, and it can be disabled setting `tls-verify` to `false`.
+In the above example, TLS verification is enabled for `registry.example.com`, while is
+disabled for `quay.io`.
+
+## SEE ALSO
+skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5), containers-policy.json(5), containers-transports(5)
+
+## AUTHORS
+
+Flavio Castelli <fcastelli@suse.com>, Marco Vedovati <mvedovati@suse.com>

docs/skopeo.1.md

@@ -0,0 +1,127 @@
+% SKOPEO(1) Skopeo Man Pages
+% Jhon Honce
+% August 2016
+## NAME
+skopeo -- Command line utility used to interact with local and remote container images and container image registries
+
+## SYNOPSIS
+**skopeo** [_global options_] _command_ [_command options_]
+
+## DESCRIPTION
+`skopeo` is a command line utility providing various operations with container images and container image registries.
+
+`skopeo` can copy container images between various containers image stores, converting them as necessary.  For example you can use `skopeo` to copy container images from one container registry to another.
+
+`skopeo` can convert a Docker schema 2 or schema 1 container image to an OCI image.
+
+`skopeo` can inspect a repository on a container registry without needlessly pulling the image. Pulling an image from a repository, especially a remote repository, is an expensive network and storage operation. Skopeo fetches the repository's manifest and displays a `docker inspect`-like json output about the repository or a tag. `skopeo`, in contrast to `docker inspect`, helps you gather useful information about a repository or a tag without requiring you to run `docker pull` - e.g. - Which tags are available for the given repository? Which labels does the image have?
+
+`skopeo` can sign and verify container images.
+
+`skopeo` can delete container images from a remote container registry.
+
+Note: `skopeo` does not require any container runtimes to be running, to do most of
+its functionality.  It also does not require root, unless you are copying images into a container runtime storage backend, like the docker daemon or github.com/containers/storage.
+
+## IMAGE NAMES
+Most commands refer to container images, using a _transport_`:`_details_ format. The following formats are supported:
+
+  **containers-storage:**_docker-reference_
+  An image located in a local containers/storage image store.  Both the location and image store are specified in /etc/containers/storage.conf. (Backend for Podman, CRI-O, Buildah and friends)
+
+  **dir:**_path_
+  An existing local directory _path_ storing the manifest, layer tarballs and signatures as individual files. This is a non-standardized format, primarily useful for debugging or noninvasive container inspection.
+
+  **docker://**_docker-reference_
+  An image in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in either `$XDG_RUNTIME_DIR/containers/auth.json`, which is set using `(skopeo login)`. If the authorization state is not found there, `$HOME/.docker/config.json` is checked, which is set using `(docker login)`.
+
+  **docker-archive:**_path_[**:**_docker-reference_]
+  An image is stored in the `docker save` formatted file.  _docker-reference_ is only used when creating such a file, and it must not contain a digest.
+
+  **docker-daemon:**_docker-reference_
+  An image _docker-reference_ stored in the docker daemon internal storage.  _docker-reference_ must contain either a tag or a digest.  Alternatively, when reading images, the format can be docker-daemon:algo:digest (an image ID).
+
+  **oci:**_path_**:**_tag_
+  An image _tag_ in a directory compliant with "Open Container Image Layout Specification" at _path_.
+
+  **oci-archive:**_path_**:**_tag_
+  An image _tag_ in a tar archive compliant with "Open Container Image Layout Specification" at _path_.
+
+See [containers-transports(5)](https://github.com/containers/image/blob/master/docs/containers-transports.5.md) for details.
+
+## OPTIONS
+
+**--command-timeout** _duration_
+
+Timeout for the command execution.
+
+**--debug**
+
+enable debug output
+
+**--help**, **-h**
+
+Show help
+
+**--insecure-policy**
+
+Adopt an insecure, permissive policy that allows anything. This obviates the need for a policy file.
+
+**--override-arch** _arch_
+
+Use _arch_ instead of the architecture of the machine for choosing images.
+
+**--override-os** _os_
+
+Use _OS_ instead of the running OS for choosing images.
+
+**--override-variant** _variant_
+
+Use _variant_ instead of the running architecture variant for choosing images.
+
+**--policy** _path-to-policy_
+
+Path to a policy.json file to use for verifying signatures and deciding whether an image is trusted, overriding the default trust policy file.
+
+**--registries.d** _dir_
+
+Use registry configuration files in _dir_ (e.g. for container signature storage), overriding the default path.
+
+**--tmpdir** _dir_
+
+Directory used to store temporary files. Defaults to /var/tmp.
+
+**--version**, **-v**
+
+Print the version number
+
+## COMMANDS
+
+| Command                                   | Description                                                                    |
+| ----------------------------------------- | ------------------------------------------------------------------------------ |
+| [skopeo-copy(1)](skopeo-copy.1.md)        | Copy an image (manifest, filesystem layers, signatures) from one location to another. |
+| [skopeo-delete(1)](skopeo-delete.1.md)    | Mark the _image-name_ for later deletion by the registry's garbage collector.  |
+| [skopeo-inspect(1)](skopeo-inspect.1.md)  | Return low-level information about _image-name_ in a registry.                 |
+| [skopeo-list-tags(1)](skopeo-list-tags.1.md)  | List tags in the transport-specific image repository.                      |
+| [skopeo-login(1)](skopeo-login.1.md)  | Login to a container registry. |
+| [skopeo-logout(1)](skopeo-logout.1.md)  | Logout of a container registry. |
+| [skopeo-manifest-digest(1)](skopeo-manifest-digest.1.md)    | Compute a manifest digest for a manifest-file and write it to standard output. |
+| [skopeo-standalone-sign(1)](skopeo-standalone-sign.1.md)    | Debugging tool - Publish and sign an image in one step.      |
+| [skopeo-standalone-verify(1)](skopeo-standalone-verify.1.md)| Verify an image signature.                                   |
+| [skopeo-sync(1)](skopeo-sync.1.md)| Synchronize images between container registries and local directories.                 |
+
+## FILES
+  **/etc/containers/policy.json**
+  Default trust policy file, if **--policy** is not specified.
+  The policy format is documented in [containers-policy.json(5)](https://github.com/containers/image/blob/master/docs/containers-policy.json.5.md) .
+
+  **/etc/containers/registries.d**
+  Default directory containing registry configuration, if **--registries.d** is not specified.
+  The contents of this directory are documented in [containers-policy.json(5)](https://github.com/containers/image/blob/master/docs/containers-policy.json.5.md).
+
+## SEE ALSO
+skopeo-login(1), docker-login(1), containers-auth.json(5), containers-storage.conf(5), containers-policy.json(5), containers-transports(5)
+
+## AUTHORS
+
+Antonio Murdaca <runcom@redhat.com>, Miloslav Trmac <mitr@redhat.com>, Jhon Honce <jhonce@redhat.com>

docs/skopeo.svg

@@ -0,0 +1,546 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   width="480.61456"
+   height="472.66098"
+   viewBox="0 0 127.1626 125.05822"
+   version="1.1"
+   id="svg8"
+   inkscape:version="0.92.2 5c3e80d, 2017-08-06"
+   sodipodi:docname="skopeo.svg"
+   inkscape:export-filename="/home/duffy/Documents/Projects/Favors/skopeo-logo/skopeo.color.png"
+   inkscape:export-xdpi="90"
+   inkscape:export-ydpi="90">
+  <defs
+     id="defs2">
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84477">
+      <stop
+         style="stop-color:#0093d9;stop-opacity:1"
+         offset="0"
+         id="stop84473" />
+      <stop
+         style="stop-color:#ffffff;stop-opacity:1"
+         offset="1"
+         id="stop84475" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84469">
+      <stop
+         style="stop-color:#f6e6c8;stop-opacity:1"
+         offset="0"
+         id="stop84465" />
+      <stop
+         style="stop-color:#dc9f2e;stop-opacity:1"
+         offset="1"
+         id="stop84467" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84461">
+      <stop
+         style="stop-color:#bfdce8;stop-opacity:1;"
+         offset="0"
+         id="stop84457" />
+      <stop
+         style="stop-color:#2a72ac;stop-opacity:1"
+         offset="1"
+         id="stop84459" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84420">
+      <stop
+         style="stop-color:#a7a9ac;stop-opacity:1;"
+         offset="0"
+         id="stop84416" />
+      <stop
+         style="stop-color:#e7e8e9;stop-opacity:1"
+         offset="1"
+         id="stop84418" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84347">
+      <stop
+         style="stop-color:#2c2d2f;stop-opacity:1;"
+         offset="0"
+         id="stop84343" />
+      <stop
+         style="stop-color:#000000;stop-opacity:1"
+         offset="1"
+         id="stop84345" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84339">
+      <stop
+         style="stop-color:#002442;stop-opacity:1;"
+         offset="0"
+         id="stop84335" />
+      <stop
+         style="stop-color:#151617;stop-opacity:1"
+         offset="1"
+         id="stop84337" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84331">
+      <stop
+         style="stop-color:#003d6e;stop-opacity:1;"
+         offset="0"
+         id="stop84327" />
+      <stop
+         style="stop-color:#59b5ff;stop-opacity:1"
+         offset="1"
+         id="stop84329" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84323">
+      <stop
+         style="stop-color:#dc9f2e;stop-opacity:1;"
+         offset="0"
+         id="stop84319" />
+      <stop
+         style="stop-color:#ffffff;stop-opacity:1"
+         offset="1"
+         id="stop84321" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84323"
+       id="linearGradient84325"
+       x1="221.5741"
+       y1="250.235"
+       x2="219.20772"
+       y2="221.99771"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84331"
+       id="linearGradient84333"
+       x1="223.23239"
+       y1="212.83418"
+       x2="245.52328"
+       y2="129.64345"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84339"
+       id="linearGradient84341"
+       x1="190.36137"
+       y1="217.8925"
+       x2="205.20828"
+       y2="209.32063"
+       gradientUnits="userSpaceOnUse" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84347"
+       id="linearGradient84349"
+       x1="212.05453"
+       y1="215.20055"
+       x2="237.73705"
+       y2="230.02835"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84323"
+       id="linearGradient84363"
+       x1="193.61516"
+       y1="225.045"
+       x2="224.08698"
+       y2="223.54327"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84323"
+       id="linearGradient84377"
+       x1="182.72513"
+       y1="222.54439"
+       x2="184.01024"
+       y2="210.35291"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84420"
+       id="linearGradient84408"
+       x1="211.73801"
+       y1="225.48302"
+       x2="204.24324"
+       y2="238.46432"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84420"
+       id="linearGradient84422"
+       x1="190.931"
+       y1="221.83777"
+       x2="187.53873"
+       y2="229.26593"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84339"
+       id="linearGradient84425"
+       gradientUnits="userSpaceOnUse"
+       x1="190.36137"
+       y1="217.8925"
+       x2="205.20828"
+       y2="209.32063"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84420"
+       id="linearGradient84441"
+       x1="169.95944"
+       y1="215.77036"
+       x2="174.0289"
+       y2="207.81528"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84420"
+       id="linearGradient84455"
+       x1="234.08092"
+       y1="252.39755"
+       x2="245.88477"
+       y2="251.21777"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <radialGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84461"
+       id="radialGradient84463"
+       cx="213.19594"
+       cy="223.40646"
+       fx="214.12064"
+       fy="217.34077"
+       r="33.39888"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(2.6813748,0.05304973,-0.0423372,2.1399146,-349.74924,-255.6421)" />
+    <radialGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84469"
+       id="radialGradient84471"
+       cx="207.18298"
+       cy="211.06483"
+       fx="207.18298"
+       fy="211.06483"
+       r="2.77954"
+       gradientTransform="matrix(1.4407627,0.18685239,-0.24637721,1.8997405,-38.989952,-218.98841)"
+       gradientUnits="userSpaceOnUse" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84477"
+       id="linearGradient84479"
+       x1="241.60336"
+       y1="255.46982"
+       x2="244.45177"
+       y2="250.4846"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+  </defs>
+  <sodipodi:namedview
+     id="base"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageopacity="0.0"
+     inkscape:pageshadow="2"
+     inkscape:zoom="1"
+     inkscape:cx="517.27113"
+     inkscape:cy="314.79773"
+     inkscape:document-units="mm"
+     inkscape:current-layer="layer1"
+     inkscape:document-rotation="0"
+     showgrid="false"
+     units="px"
+     inkscape:snap-global="false"
+     inkscape:window-width="2560"
+     inkscape:window-height="1376"
+     inkscape:window-x="0"
+     inkscape:window-y="27"
+     inkscape:window-maximized="1"
+     fit-margin-top="0"
+     fit-margin-left="0"
+     fit-margin-right="0"
+     fit-margin-bottom="0" />
+  <metadata
+     id="metadata5">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title />
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     inkscape:label="Layer 1"
+     inkscape:groupmode="layer"
+     id="layer1"
+     transform="translate(-149.15784,-175.92614)">
+    <g
+       id="g84497"
+       style="stroke-width:1.32291663;stroke-miterlimit:4;stroke-dasharray:none"
+       transform="translate(0,10.583333)">
+      <rect
+         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+         id="rect84485"
+         width="31.605196"
+         height="19.16976"
+         x="299.48376"
+         y="87.963303"
+         transform="rotate(30)" />
+      <rect
+         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+         id="rect84487"
+         width="16.725054"
+         height="9.8947001"
+         x="258.07639"
+         y="92.60083"
+         transform="rotate(30)" />
+      <rect
+         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+         id="rect84489"
+         width="4.8383565"
+         height="11.503917"
+         x="253.2236"
+         y="91.796227"
+         transform="rotate(30)" />
+      <rect
+         y="86.859642"
+         x="331.21924"
+         height="21.377089"
+         width="4.521956"
+         id="rect84491"
+         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+         transform="rotate(30)" />
+    </g>
+    <path
+       style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 246.61693,255.0795 -9.11198,15.78242 a 2.6351497,9.1643514 30 0 0 6.60453,-6.7032 2.6351497,9.1643514 30 0 0 2.50745,-9.07922 z"
+       id="path84483"
+       inkscape:connector-curvature="0" />
+    <path
+       sodipodi:nodetypes="cccccc"
+       inkscape:connector-curvature="0"
+       id="path84481"
+       d="m 202.36709,199.05917 26.65552,8.43269 21.69622,19.51455 -8.68507,12.39398 -46.04559,-26.61429 z"
+       style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952" />
+    <circle
+       style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       id="path84224"
+       cx="213.64427"
+       cy="234.18927"
+       r="35.482784" />
+    <circle
+       r="33.39888"
+       cy="234.18927"
+       cx="213.64427"
+       id="circle84226"
+       style="fill:url(#radialGradient84463);fill-opacity:1;stroke:none;stroke-width:0.52916664;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952" />
+    <rect
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       id="rect84114"
+       width="31.605196"
+       height="19.16976"
+       x="304.77545"
+       y="97.128738"
+       transform="rotate(30)" />
+    <rect
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       id="rect84116"
+       width="4.521956"
+       height="21.377089"
+       x="300.27435"
+       y="96.025078"
+       transform="rotate(30)" />
+    <rect
+       y="99.087395"
+       x="283.71848"
+       height="15.252436"
+       width="16.459545"
+       id="rect84118"
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       transform="rotate(30)" />
+    <rect
+       y="98.190086"
+       x="280.00021"
+       height="17.047071"
+       width="3.617183"
+       id="rect84120"
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       transform="rotate(30)" />
+    <rect
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       id="rect84122"
+       width="16.725054"
+       height="9.8947001"
+       x="263.36807"
+       y="101.76627"
+       transform="rotate(30)" />
+    <rect
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       id="rect84124"
+       width="4.8383565"
+       height="11.503917"
+       x="258.51526"
+       y="100.96166"
+       transform="rotate(30)" />
+    <rect
+       y="96.025078"
+       x="336.51093"
+       height="21.377089"
+       width="4.521956"
+       id="rect84126"
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       transform="rotate(30)" />
+    <path
+       style="fill:url(#linearGradient84325);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 207.24023,252.71811 25.53907,14.74414 8.52539,-14.76953 -25.53711,-14.74415 z"
+       id="rect84313"
+       inkscape:connector-curvature="0" />
+    <path
+       inkscape:connector-curvature="0"
+       id="path84128"
+       d="m 215.3335,241.36799 22.49734,12.98884"
+       style="fill:#ffffff;fill-rule:evenodd;stroke:#000000;stroke-width:0.52916664;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
+    <path
+       inkscape:connector-curvature="0"
+       id="path84130"
+       d="m 246.61693,255.0795 -9.11198,15.78242 a 2.6351497,9.1643514 30 0 0 6.60453,-6.7032 2.6351497,9.1643514 30 0 0 2.50745,-9.07922 z"
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952" />
+    <path
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
+       d="m 195.97877,212.80238 46.0456,26.61429 -3.50256,6.07342 -46.0456,-26.61429 z"
+       id="path84134"
+       inkscape:connector-curvature="0"
+       sodipodi:nodetypes="ccccc" />
+    <path
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
+       d="m 202.36709,199.05917 26.65552,8.43269 21.69622,19.51455 -8.68507,12.39398 -46.04559,-26.61429 z"
+       id="path84136"
+       inkscape:connector-curvature="0"
+       sodipodi:nodetypes="cccccc" />
+    <path
+       style="fill:url(#linearGradient84422);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 186.31445,239.41146 1.30078,0.75 7.46485,-12.92968 -1.30078,-0.75 z"
+       id="rect84410"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:url(#linearGradient84349);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
+       d="m 193.92188,218.48568 44.21289,25.55469 2.44335,-4.23242 -44.21289,-25.55664 z"
+       id="path84284"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:url(#linearGradient84363);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 189.98438,240.4935 12.42187,7.16992 6.56641,-11.375 -12.42188,-7.16992 z"
+       id="rect84351"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:url(#linearGradient84377);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 173.69727,227.99936 12.65234,7.30273 3.88867,-6.73633 -12.65234,-7.30273 z"
+       id="rect84365"
+       inkscape:connector-curvature="0" />
+    <path
+       sodipodi:nodetypes="ccccc"
+       inkscape:connector-curvature="0"
+       id="path84138"
+       d="m 192.47621,218.8758 -11.1013,8.29627 c 0,0 6.16202,4.57403 15.2798,4.67656 9.1178,0.1025 11.46925,-3.93799 11.46925,-3.93799 z"
+       style="fill:#ffffff;fill-rule:evenodd;stroke:#000000;stroke-width:0.79374999;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
+    <ellipse
+       cy="223.01579"
+       cx="207.08998"
+       id="circle84140"
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       rx="3.8395541"
+       ry="3.8438656" />
+    <path
+       style="fill:url(#linearGradient84333);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
+       d="m 197.35938,212.35287 44.36523,25.64453 7.58984,-10.83203 -20.82617,-18.73242 -25.55078,-8.08399 z"
+       id="path84272"
+       inkscape:connector-curvature="0" />
+    <path
+       inkscape:connector-curvature="0"
+       id="path84142"
+       d="m 200.6837,212.37603 11.49279,-6.98413 -8.11935,-2.73742"
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5291667;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
+    <path
+       inkscape:connector-curvature="0"
+       id="path84144"
+       d="m 241.31895,235.3047 -8.04514,-4.75769 10.057,-4.72299"
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5291667;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       sodipodi:nodetypes="ccc" />
+    <path
+       sodipodi:nodetypes="ccc"
+       style="fill:none;fill-rule:evenodd;stroke:#2a72ac;stroke-width:0.52899998;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 241.06868,235.79543 -8.9307,-5.38071 10.81942,-5.07707"
+       id="path84280"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:none;fill-rule:evenodd;stroke:#2a72ac;stroke-width:0.5291667;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 200.60886,211.70589 10.37702,-6.1817 -7.12581,-2.30459"
+       id="path84290"
+       inkscape:connector-curvature="0"
+       sodipodi:nodetypes="ccc" />
+    <path
+       style="fill:url(#radialGradient84471);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 206.89258,220.23959 -0.29297,0.0352 -0.23633,0.0527 -0.26953,0.0898 -0.2793,0.125 -0.23437,0.13477 -0.20508,0.14648 -0.2207,0.19532 -0.18946,0.20117 -0.006,0.008 0.004,-0.008 -0.006,0.01 -0.008,0.01 -0.004,0.004 -0.006,0.006 -0.12109,0.1582 -0.002,0.004 -0.002,0.002 -0.16406,0.26758 -0.12109,0.24804 -0.0996,0.28125 -0.0645,0.24219 -0.0371,0.26367 -0.0176,0.31641 0.008,0.18164 0.0332,0.28711 0.0527,0.23437 0.004,0.0117 0.0937,0.28516 0.11133,0.24805 0.13086,0.23046 0.16992,0.23829 0.1836,0.20898 0.21093,0.19727 0.19532,0.14843 0.25586,0.15625 0.24218,0.11719 0.26172,0.0977 0.27344,0.0684 0.27344,0.043 0.29297,0.0137 0.18164,-0.008 0.29687,-0.0351 0.24024,-0.0547 0.27539,-0.0898 0.24218,-0.10938 0.25,-0.14453 0.23047,-0.16406 0.20899,-0.1836 0.20508,-0.21875 0.125,-0.16406 0.004,-0.006 0.1582,-0.25781 0.004,-0.008 0.12695,-0.26172 0.0996,-0.27344 0.002,-0.006 0.0586,-0.24023 0.0391,-0.26563 0.0176,-0.3125 -0.008,-0.17968 -0.0332,-0.28711 -0.0527,-0.23438 -0.004,-0.0117 -0.0937,-0.28515 -0.11132,-0.24805 -0.13086,-0.23047 -0.16993,-0.23828 -0.18554,-0.20899 -0.19922,-0.18945 -0.21875,-0.16406 -0.23828,-0.14844 -0.26563,-0.12695 -0.01,-0.004 -0.21875,-0.0801 -0.28516,-0.0723 -0.27344,-0.043 -0.29492,-0.0137 z"
+       id="ellipse84292"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:url(#linearGradient84425);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.79374999;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 183.23633,227.10092 c 5.59753,3.20336 12.36881,4.51528 18.71366,3.17108 1.59516,-0.38 3.17489,-0.99021 4.44874,-2.04739 -0.73893,-0.64617 -1.68301,-0.99544 -2.49844,-1.53493 -3.78032,-2.18293 -7.56064,-4.36587 -11.34096,-6.5488 -3.10767,2.32001 -6.21533,4.64003 -9.323,6.96004 z"
+       id="path84298"
+       inkscape:connector-curvature="0"
+       sodipodi:nodetypes="cccccc" />
+    <path
+       style="fill:url(#linearGradient84479);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 238.62695,269.97787 0.006,-0.002 0.39453,-0.27735 0.41797,-0.34179 0.002,-0.002 0.45703,-0.42382 0.47851,-0.49219 0.0156,-0.0176 0.47656,-0.53711 0.002,-0.002 0.0117,-0.0137 0.48438,-0.5918 0.0117,-0.0156 0.49023,-0.64257 0.01,-0.0137 0.49609,-0.69726 0.48047,-0.71875 0.01,-0.0137 0.46485,-0.74805 0.004,-0.008 0.002,-0.002 0.30468,-0.51562 0.008,-0.0117 0.4375,-0.78711 0.40625,-0.77734 0.008,-0.0137 0.37109,-0.77149 0.008,-0.0156 0.33789,-0.75977 0.006,-0.0156 0.30078,-0.73829 0.27148,-0.74609 0.21289,-0.66602 0.17969,-0.66796 v -0.002 l 0.12305,-0.58203 0.002,-0.0137 0.0723,-0.51562 0.0176,-0.31836 z"
+       id="path84379"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:url(#linearGradient84408);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 202.78906,251.42318 2.08399,1.20118 9.6289,-16.67969 -2.08203,-1.20117 z"
+       id="rect84396"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:url(#linearGradient84441);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 169.0918,226.26889 2.35937,1.36133 4.69336,-8.13086 -2.35937,-1.36133 z"
+       id="rect84429"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:url(#linearGradient84455);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 234.17188,269.53842 2.08203,1.20312 9.63086,-16.67773 -2.08399,-1.20313 z"
+       id="rect84443"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:#ffffff;fill-rule:evenodd;stroke:#f8ead2;stroke-width:0.52916664;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 215.55025,240.82707 22.49734,12.98884"
+       id="path84521"
+       inkscape:connector-curvature="0" />
+  </g>
+</svg>

go.mod

@@ -0,0 +1,103 @@
+module github.com/containers/skopeo
+
+go 1.17
+
+require (
+	github.com/containers/common v0.47.4
+	github.com/containers/image/v5 v5.19.1
+	github.com/containers/ocicrypt v1.1.2
+	github.com/containers/storage v1.38.2
+	github.com/docker/docker v20.10.12+incompatible
+	github.com/opencontainers/go-digest v1.0.0
+	github.com/opencontainers/image-spec v1.0.3-0.20211202193544-a5463b7f9c84
+	github.com/opencontainers/image-tools v1.0.0-rc3
+	github.com/pkg/errors v0.9.1
+	github.com/sirupsen/logrus v1.8.1
+	github.com/spf13/cobra v1.3.0
+	github.com/spf13/pflag v1.0.5
+	github.com/stretchr/testify v1.7.0
+	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
+	gopkg.in/yaml.v2 v2.4.0
+)
+
+require (
+	github.com/BurntSushi/toml v1.0.0 // indirect
+	github.com/Microsoft/go-winio v0.5.1 // indirect
+	github.com/Microsoft/hcsshim v0.9.2 // indirect
+	github.com/VividCortex/ewma v1.2.0 // indirect
+	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/containerd/cgroups v1.0.1 // indirect
+	github.com/containerd/containerd v1.5.9 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.11.0 // indirect
+	github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b // indirect
+	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/docker/distribution v2.8.0+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.6.4 // indirect
+	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/docker/go-metrics v0.0.1 // indirect
+	github.com/docker/go-units v0.4.0 // indirect
+	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/google/go-intervals v0.0.2 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/hashicorp/errwrap v1.0.0 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.14.2 // indirect
+	github.com/klauspost/pgzip v1.2.5 // indirect
+	github.com/kr/pretty v0.2.1 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/mattn/go-runewidth v0.0.13 // indirect
+	github.com/mattn/go-shellwords v1.0.12 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/miekg/pkcs11 v1.0.3 // indirect
+	github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible // indirect
+	github.com/moby/sys/mountinfo v0.5.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/opencontainers/runc v1.1.0 // indirect
+	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 // indirect
+	github.com/opencontainers/selinux v1.10.0 // indirect
+	github.com/ostreedev/ostree-go v0.0.0-20190702140239-759a8c1ac913 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/proglottis/gpgme v0.1.1 // indirect
+	github.com/prometheus/client_golang v1.11.1 // indirect
+	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/common v0.26.0 // indirect
+	github.com/prometheus/procfs v0.6.0 // indirect
+	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/russross/blackfriday v2.0.0+incompatible // indirect
+	github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 // indirect
+	github.com/sylabs/sif/v2 v2.3.1 // indirect
+	github.com/tchap/go-patricia v2.3.0+incompatible // indirect
+	github.com/ulikunitz/xz v0.5.10 // indirect
+	github.com/vbatts/tar-split v0.11.2 // indirect
+	github.com/vbauerster/mpb/v7 v7.3.2 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190809123943-df4f5c81cb3b // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+	go.etcd.io/bbolt v1.3.6 // indirect
+	go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 // indirect
+	go.opencensus.io v0.23.0 // indirect
+	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 // indirect
+	golang.org/x/net v0.7.0 // indirect
+	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
+	golang.org/x/sys v0.5.0 // indirect
+	golang.org/x/term v0.5.0 // indirect
+	golang.org/x/text v0.7.0 // indirect
+	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa // indirect
+	google.golang.org/grpc v1.42.0 // indirect
+	google.golang.org/protobuf v1.27.1 // indirect
+	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+)

hack/.vendor-helpers.sh

@@ -1,103 +0,0 @@
-#!/usr/bin/env bash
-
-PROJECT=github.com/runcom/skopeo
-
-# Downloads dependencies into vendor/ directory
-mkdir -p vendor
-
-export GOPATH="$GOPATH:${PWD}/vendor"
-
-find="/usr/bin/find"
-
-clone() {
-	local vcs="$1"
-	local pkg="$2"
-	local rev="$3"
-	local url="$4"
-
-	: ${url:=https://$pkg}
-	local target="vendor/src/$pkg"
-
-	echo -n "$pkg @ $rev: "
-
-	if [ -d "$target" ]; then
-		echo -n 'rm old, '
-		rm -rf "$target"
-	fi
-
-	echo -n 'clone, '
-	case "$vcs" in
-		git)
-			git clone --quiet --no-checkout "$url" "$target"
-			( cd "$target" && git checkout --quiet "$rev" && git reset --quiet --hard "$rev" )
-			;;
-		hg)
-			hg clone --quiet --updaterev "$rev" "$url" "$target"
-			;;
-	esac
-
-	echo -n 'rm VCS, '
-	( cd "$target" && rm -rf .{git,hg} )
-
-	echo -n 'rm vendor, '
-	( cd "$target" && rm -rf vendor Godeps/_workspace )
-
-	echo done
-}
-
-clean() {
-	local packages=(
-		"${PROJECT}" # package main
-		"${PROJECT}/integration" # package main
-	)
-	local platforms=( linux/amd64 linux/386 )
-
-	local buildTags=(  )
-
-	echo
-
-	echo -n 'collecting import graph, '
-	local IFS=$'\n'
-	local imports=( $(
-		for platform in "${platforms[@]}"; do
-			export GOOS="${platform%/*}";
-			export GOARCH="${platform##*/}";
-			go list -e -tags "$buildTags" -f '{{join .Deps "\n"}}' "${packages[@]}"
-			go list -e -tags "$buildTags" -f '{{join .TestImports "\n"}}' "${packages[@]}"
-		done | grep -vE "^${PROJECT}" | sort -u
-	) )
-	imports=( $(go list -e -f '{{if not .Standard}}{{.ImportPath}}{{end}}' "${imports[@]}") )
-	unset IFS
-
-	echo -n 'pruning unused packages, '
-	findArgs=(
-		# This directory contains only .c and .h files which are necessary
-		# -path vendor/src/github.com/mattn/go-sqlite3/code
-	)
-	for import in "${imports[@]}"; do
-		[ "${#findArgs[@]}" -eq 0 ] || findArgs+=( -or )
-		findArgs+=( -path "vendor/src/$import" )
-	done
-	local IFS=$'\n'
-	local prune=( $($find vendor -depth -type d -not '(' "${findArgs[@]}" ')') )
-	unset IFS
-	for dir in "${prune[@]}"; do
-		$find "$dir" -maxdepth 1 -not -type d -not -name 'LICENSE*' -not -name 'COPYING*' -exec rm -v -f '{}' ';'
-		rmdir "$dir" 2>/dev/null || true
-	done
-
-	echo -n 'pruning unused files, '
-	$find vendor -type f -name '*_test.go' -exec rm -v '{}' ';'
-
-	echo done
-}
-
-# Fix up hard-coded imports that refer to Godeps paths so they'll work with our vendoring
-fix_rewritten_imports () {
-       local pkg="$1"
-       local remove="${pkg}/Godeps/_workspace/src/"
-       local target="vendor/src/$pkg"
-
-       echo "$pkg: fixing rewritten imports"
-       $find "$target" -name \*.go -exec sed -i -e "s|\"${remove}|\"|g" {} \;
-}

hack/btrfs_installed_tag.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+cc -E - > /dev/null 2> /dev/null << EOF
+#include <btrfs/ioctl.h>
+EOF
+if test $? -ne 0 ; then
+	echo exclude_graphdriver_btrfs
+fi

hack/btrfs_tag.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+cc -E - > /dev/null 2> /dev/null << EOF
+#include <btrfs/version.h>
+EOF
+if test $? -ne 0 ; then
+	echo btrfs_noversion
+fi

hack/get_ci_vm.sh

@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+
+#
+# For help and usage information, simply execute the script w/o any arguments.
+#
+# This script is intended to be run by Red Hat skopeo developers who need
+# to debug problems specifically related to Cirrus-CI automated testing.
+# It requires that you have been granted prior access to create VMs in
+# google-cloud.  For non-Red Hat contributors, VMs are available as-needed,
+# with supervision upon request.
+
+set -e
+
+SCRIPT_FILEPATH=$(realpath "${BASH_SOURCE[0]}")
+SCRIPT_DIRPATH=$(dirname "$SCRIPT_FILEPATH")
+REPO_DIRPATH=$(realpath "$SCRIPT_DIRPATH/../")
+
+# Help detect if we were called by get_ci_vm container
+GET_CI_VM="${GET_CI_VM:-0}"
+in_get_ci_vm() {
+    if ((GET_CI_VM==0)); then
+        echo "Error: $1 is not intended for use in this context"
+        exit 2
+    fi
+}
+
+# get_ci_vm APIv1 container entrypoint calls into this script
+# to obtain required repo. specific configuration options.
+if [[ "$1" == "--config" ]]; then
+    in_get_ci_vm "$1"
+    cat <<EOF
+DESTDIR="/var/tmp/go/src/github.com/containers/skopeo"
+UPSTREAM_REPO="https://github.com/containers/skopeo.git"
+GCLOUD_PROJECT="skopeo"
+GCLOUD_IMGPROJECT="libpod-218412"
+GCLOUD_CFG="skopeo"
+GCLOUD_ZONE="${GCLOUD_ZONE:-us-central1-f}"
+GCLOUD_CPUS="2"
+GCLOUD_MEMORY="4Gb"
+GCLOUD_DISK="200"
+EOF
+elif [[ "$1" == "--setup" ]]; then
+    in_get_ci_vm "$1"
+    # get_ci_vm container entrypoint calls us with this option on the
+    # Cirrus-CI environment instance, to perform repo.-specific setup.
+    echo "+ Executing setup" > /dev/stderr
+    ${GOSRC}/${SCRIPT_BASE}/runner.sh setup
+else
+    # Create and access VM for specified Cirrus-CI task
+    mkdir -p $HOME/.config/gcloud/ssh
+    podman run -it --rm \
+        --tz=local \
+        -e NAME="$USER" \
+        -e SRCDIR=/src \
+        -e GCLOUD_ZONE="$GCLOUD_ZONE" \
+        -e DEBUG="${DEBUG:-0}" \
+        -v $REPO_DIRPATH:/src:O \
+        -v $HOME/.config/gcloud:/root/.config/gcloud:z \
+        -v $HOME/.config/gcloud/ssh:/root/.ssh:z \
+        quay.io/libpod/get_ci_vm:latest "$@"
+fi

hack/get_fqin.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+# This script is intended to be called from the Makefile.  It's purpose
+# is to automation correspondence between the environment used for local
+# development and CI.
+
+set -e
+
+SCRIPT_FILEPATH=$(realpath "${BASH_SOURCE[0]}")
+SCRIPT_DIRPATH=$(dirname "$SCRIPT_FILEPATH")
+REPO_DIRPATH=$(realpath "$SCRIPT_DIRPATH/../")
+
+# When running under CI, we already have the necessary information,
+# simply provide it to the Makefile.
+if [[ -n "$SKOPEO_CIDEV_CONTAINER_FQIN" ]]; then
+    echo "$SKOPEO_CIDEV_CONTAINER_FQIN"
+    exit 0
+fi
+
+if [[ -n $(command -v podman) ]]; then CONTAINER_RUNTIME=podman; fi
+CONTAINER_RUNTIME=${CONTAINER_RUNTIME:-docker}
+
+# Borrow the get_ci_vm container image since it's small, and
+# by necessity contains a script that can accurately interpret
+# env. var. values from any .cirrus.yml runtime context.
+$CONTAINER_RUNTIME run --rm \
+    --security-opt label=disable \
+    -v $REPO_DIRPATH:/src:ro \
+    --entrypoint=/usr/share/automation/bin/cirrus-ci_env.py \
+    quay.io/libpod/get_ci_vm:latest \
+    --envs="Skopeo Test" /src/.cirrus.yml | \
+    egrep -m1 '^SKOPEO_CIDEV_CONTAINER_FQIN' | \
+    awk -F "=" -e '{print $2}' | \
+    tr -d \'\"

hack/libdm_tag.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+tmpdir="$PWD/tmp.$RANDOM"
+mkdir -p "$tmpdir"
+trap 'rm -fr "$tmpdir"' EXIT
+cc -c -o "$tmpdir"/libdm_tag.o -x c - > /dev/null 2> /dev/null << EOF
+#include <libdevmapper.h>
+int main() {
+	struct dm_task *task;
+	return 0;
+}
+EOF
+if test $? -ne 0 ; then
+	echo libdm_no_deferred_remove
+fi

hack/libsubid_tag.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+if test $(${GO:-go} env GOOS) != "linux" ; then
+	exit 0
+fi
+tmpdir="$PWD/tmp.$RANDOM"
+mkdir -p "$tmpdir"
+trap 'rm -fr "$tmpdir"' EXIT
+cc -o "$tmpdir"/libsubid_tag -l subid -x c - > /dev/null 2> /dev/null << EOF
+#include <shadow/subid.h>
+int main() {
+	struct subid_range *ranges = NULL;
+	get_subuid_ranges("root", &ranges);
+	free(ranges);
+	return 0;
+}
+EOF
+if test $? -eq 0 ; then
+	echo libsubid
+fi

hack/make.sh

@@ -2,15 +2,14 @@
 set -e
 
 # This script builds various binary from a checkout of the skopeo
-# source code.
+# source code. DO NOT CALL THIS SCRIPT DIRECTLY.
 #
 # Requirements:
 # - The current directory should be a checkout of the skopeo source code
-#   (https://github.com/runcom/skopeo). Whatever version is checked out
+#   (https://github.com/containers/skopeo). Whatever version is checked out
 #   will be built.
-# - The script is intended to be run inside the docker container specified
-#   in the Dockerfile at the root of the source. In other words:
-#   DO NOT CALL THIS SCRIPT DIRECTLY.
+# - The script is intended to be run inside the container specified
+#   in the output of hack/get_fqin.sh
 # - The right way to call this script is to invoke "make" from
 #   your checkout of the skopeo repository.
 #   the Makefile will do a "docker build -t skopeo ." and then
@@ -19,26 +18,23 @@ set -e
 
 set -o pipefail
 
-export SKOPEO_PKG='github.com/runcom/skopeo'
+export SKOPEO_PKG='github.com/containers/skopeo'
 export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 export MAKEDIR="$SCRIPTDIR/make"
 
-# We're a nice, sexy, little shell script, and people might try to run us;
-# but really, they shouldn't. We want to be in a container!
-inContainer="AssumeSoInitially"
-if [ "$PWD" != "/go/src/$SKOPEO_PKG" ]; then
-	unset inContainer
-fi
+# Set this to 1 to enable installation/modification of environment/services
+export SKOPEO_CONTAINER_TESTS=${SKOPEO_CONTAINER_TESTS:-0}
 
-if [ -z "$inContainer" ]; then
-	{
-		echo "# WARNING! I don't seem to be running in a Docker container."
-		echo "# The result of this command might be an incorrect build, and will not be"
-		echo "# officially supported."
-		echo "#"
-		echo "# Try this instead: make all"
-		echo "#"
-	} >&2
+if [[ "$SKOPEO_CONTAINER_TESTS" == "0" ]] && [[ "$CI" != "true" ]]; then
+    (
+    echo "***************************************************************"
+    echo "WARNING: Executing tests directly on the local development"
+    echo "         host is highly discouraged.  Many important items"
+    echo "         will be skipped.  For manual execution, please utilize"
+    echo "         the Makefile targets WITHOUT the '-local' suffix."
+    echo "***************************************************************"
+    ) > /dev/stderr
+    sleep 5s
 fi
 
 echo
@@ -57,25 +53,21 @@ DEFAULT_BUNDLES=(
 	test-integration
 )
 
-TESTFLAGS+=" -test.timeout=10m"
+# Go module support: set `-mod=vendor` to use the vendored sources
+# See also the top-level Makefile.
+mod_vendor=
+if go help mod >/dev/null 2>&1; then
+  export GO111MODULE=on
+  mod_vendor='-mod=vendor'
+fi
 
-# If $TESTFLAGS is set in the environment, it is passed as extra arguments to 'go test'.
-# You can use this to select certain tests to run, eg.
-#
-#     TESTFLAGS='-test.run ^TestBuild$' ./hack/make.sh test-unit
-#
-# For integration-cli test, we use [gocheck](https://labix.org/gocheck), if you want
-# to run certain tests on your local host, you should run with command:
-#
-#     TESTFLAGS='-check.f DockerSuite.TestBuild*' ./hack/make.sh binary test-integration-cli
-#
 go_test_dir() {
 	dir=$1
 	(
-		echo '+ go test' $TESTFLAGS "${SKOPEO_PKG}${dir#.}"
+		echo '+ go test' $mod_vendor $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"} "${SKOPEO_PKG}${dir#.}"
 		cd "$dir"
 		export DEST="$ABS_DEST" # we're in a subshell, so this is safe -- our integration-cli tests need DEST, and "cd" screws it up
-		go test $TESTFLAGS
+		go test $mod_vendor $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"}
 	)
 }
 

hack/make/.validate

@@ -4,8 +4,8 @@ if [ -z "$VALIDATE_UPSTREAM" ]; then
 	# this is kind of an expensive check, so let's not do this twice if we
 	# are running more than one validate bundlescript
 	
-	VALIDATE_REPO='https://github.com/runcom/skopeo.git'
-	VALIDATE_BRANCH='master'
+	VALIDATE_REPO='https://github.com/containers/skopeo.git'
+	VALIDATE_BRANCH='main'
 	
 	if [ "$TRAVIS" = 'true' -a "$TRAVIS_PULL_REQUEST" != 'false' ]; then
 		VALIDATE_REPO="https://github.com/${TRAVIS_REPO_SLUG}.git"
@@ -21,9 +21,7 @@ if [ -z "$VALIDATE_UPSTREAM" ]; then
 	VALIDATE_COMMIT_DIFF="$VALIDATE_UPSTREAM...$VALIDATE_HEAD"
 	
 	validate_diff() {
-		if [ "$VALIDATE_UPSTREAM" != "$VALIDATE_HEAD" ]; then
-			git diff "$VALIDATE_COMMIT_DIFF" "$@"
-		fi
+		git diff "$VALIDATE_UPSTREAM" "$@"
 	}
 	validate_log() {
 		if [ "$VALIDATE_UPSTREAM" != "$VALIDATE_HEAD" ]; then

hack/make/test-integration

@@ -2,14 +2,11 @@
 set -e
 
 bundle_test_integration() {
-	TESTFLAGS="$TESTFLAGS -check.v"
 	go_test_dir ./integration
 }
 
 # subshell so that we can export PATH without breaking other things
 (
-	make binary
-	make install-binary
-	export GO15VENDOREXPERIMENT=1
+	make PREFIX=/usr install
 	bundle_test_integration
 ) 2>&1

hack/make/test-system

@@ -0,0 +1,24 @@
+#!/bin/bash
+set -e
+
+# These tests can run in/outside of a container.  However,
+# not all storage drivers are supported in a container
+# environment.  Detect this and setup storage when
+# running in a container.
+if ((SKOPEO_CONTAINER_TESTS)) && [[ -r /etc/containers/storage.conf ]]; then
+    sed -i \
+        -e 's/^driver\s*=.*/driver = "vfs"/' \
+        -e 's/^mountopt/#mountopt/' \
+        /etc/containers/storage.conf
+elif ((SKOPEO_CONTAINER_TESTS)); then
+    cat >> /etc/containers/storage.conf << EOF
+[storage]
+driver = "vfs"
+EOF
+fi
+
+# Build skopeo, install into /usr/bin
+make PREFIX=/usr install
+
+# Run tests
+SKOPEO_BINARY=/usr/bin/skopeo bats --tap systemtest

hack/make/validate-gofmt

@@ -8,8 +8,7 @@ unset IFS
 
 badFiles=()
 for f in "${files[@]}"; do
-	# we use "git show" here to validate that what's committed is formatted
-	if [ "$(git show "$VALIDATE_HEAD:$f" | gofmt -s -l)" ]; then
+	if [ "$(gofmt -s -l < $f)" ]; then
 		badFiles+=( "$f" )
 	fi
 done

hack/make/validate-lint

@@ -11,7 +11,6 @@ unset IFS
 
 errors=()
 for f in "${files[@]}"; do
-	# we use "git show" here to validate that what's committed passes go lint
 	failedLint=$(golint "$f")
 	if [ "$failedLint" ]; then
 		errors+=( "$failedLint" )

hack/make/validate-vet

@@ -1,29 +1,13 @@
 #!/bin/bash
 
-source "$(dirname "$BASH_SOURCE")/.validate"
+errors=$(go vet -tags="${BUILDTAGS}" $mod_vendor $(go list $mod_vendor -e ./...))
 
-IFS=$'\n'
-files=( $(validate_diff --diff-filter=ACMR --name-only -- '*.go' | grep -v '^vendor/' || true) )
-unset IFS
-
-errors=()
-for f in "${files[@]}"; do
-	# we use "git show" here to validate that what's committed passes go vet
-	failedVet=$(go vet "$f")
-	if [ "$failedVet" ]; then
-		errors+=( "$failedVet" )
-	fi
-done
-
-
-if [ ${#errors[@]} -eq 0 ]; then
+if [ -z "$errors" ]; then
 	echo 'Congratulations!  All Go source files have been vetted.'
 else
 	{
 		echo "Errors from go vet:"
-		for err in "${errors[@]}"; do
-			echo " - $err"
-		done
+		echo "$errors"
 		echo
 		echo 'Please fix the above errors. You can test via "go vet" and commit the result.'
 		echo

hack/man-page-checker

@@ -0,0 +1,150 @@
+#!/usr/bin/env bash
+#
+# man-page-checker - validate and cross-reference man page names
+#
+# This is the script that cross-checks BETWEEN MAN PAGES. It is not the
+# script that cross-checks that each option in skopeo foo --help is listed
+# in skopeo-foo.1.md and vice-versa; that one is xref-helpmsgs-manpages.
+#
+
+verbose=
+for i; do
+    case "$i" in
+        -v|--verbose)   verbose=verbose ;;
+    esac
+done
+
+
+die() {
+    echo "$(basename $0): $*" >&2
+    exit 1
+}
+
+cd $(dirname $0)/../docs || die "Please run me from top-level skopeo dir"
+
+rc=0
+
+# Pass 1: cross-check file names with NAME section
+#
+# for a given skopeo-foo.1.md, the NAME should be 'skopeo-foo'
+for md in *.1.md;do
+    # Read the first line after '## NAME'
+    name=$(egrep -A1 '^## NAME' $md|tail -1|awk '{print $1}' | tr -d \\\\)
+
+    expect=$(basename $md .1.md)
+    if [ "$name" != "$expect" ]; then
+        echo
+        printf "Inconsistent program NAME in %s:\n" $md
+        printf "  NAME= %s  (expected: %s)\n" $name $expect
+        rc=1
+    fi
+done
+
+# Pass 2: compare descriptions.
+#
+# Make sure the descriptive text in skopeo-foo.1.md matches the one
+# in the table in skopeo.1.md.
+for md in $(ls -1 *-*.1.md);do
+    desc=$(egrep -A1 '^## NAME' $md|tail -1|sed -E -e 's/^skopeo[^[:space:]]+ - //')
+
+    # Find the descriptive text in the main skopeo man page.
+    parent=skopeo.1.md
+    parent_desc=$(grep $md $parent | awk -F'|' '{print $3}' | sed -E -e 's/^[[:space:]]+//' -e 's/[[:space:]]+$//')
+
+    if [ "$desc" != "$parent_desc" ]; then
+        echo
+        printf "Inconsistent subcommand descriptions:\n"
+        printf "  %-32s = '%s'\n" $md "$desc"
+        printf "  %-32s = '%s'\n" $parent "$parent_desc"
+        printf "Please ensure that the NAME section of $md\n"
+        printf "matches the subcommand description in $parent\n"
+        rc=1
+    fi
+done
+
+# Helper function: compares man page synopsis vs --help usage message
+function compare_usage() {
+    local cmd="$1"
+    local from_man="$2"
+
+    # Run 'cmd --help', grab the line immediately after 'Usage:'
+    local help_output=$(../bin/$cmd --help)
+    local from_help=$(echo "$help_output" | grep -A1 '^Usage:' | tail -1)
+
+    # strip off command name from both
+    from_man=$(sed -E -e "s/\*\*$cmd\*\*[[:space:]]*//" <<<"$from_man")
+    from_help=$(sed -E -e "s/^[[:space:]]*$cmd[[:space:]]*//" <<<"$from_help")
+
+    # man page lists 'foo [*options*]', help msg shows 'foo [command options]'.
+    # Make sure if one has it, the other does too.
+    if expr "$from_man" : "\[\*options\*\]" >/dev/null; then
+        if expr "$from_help" : "\[command options\]" >/dev/null; then
+            :
+        else
+            echo "WARNING: $cmd: man page shows '[*options*]', help does not show [command options]"
+            rc=1
+       fi
+    elif expr "$from_help" : "\[command options\]" >/dev/null; then
+        echo "WARNING: $cmd: --help shows [command options], man page does not show [*options*]"
+        rc=1
+    fi
+
+    # Strip off options and flags; start comparing arguments
+    from_man=$(sed  -E -e 's/^\[\*options\*\][[:space:]]*//' <<<"$from_man")
+    from_help=$(sed -E -e 's/^\[command options\][[:space:]]*//'      <<<"$from_help")
+
+    # Constant strings in man page are '**foo**', in --help are 'foo'.
+    from_man=$(sed -E -e 's/\*\*([^*]+)\*\*/\1/g' <<<"$from_man")
+
+    # Args in man page are '_foo_', in --help are 'FOO'. Convert all to
+    # UPCASE simply because it stands out better to the eye.
+    from_man=$(sed -E -e 's/_([a-z-]+)_/\U\1/g' <<<"$from_man")
+
+    # Compare man-page and --help usage strings. Skip 'skopeo' itself,
+    # because the man page includes '[global options]' which we don't grok.
+    if [[ "$from_man" != "$from_help" && "$cmd" != "skopeo" ]]; then
+        printf "%-25s man='%s' help='%s'\n" "$cmd:" "$from_man" "$from_help"
+        rc=1
+    fi
+}
+
+# Pass 3: compare synopses.
+#
+# Make sure the SYNOPSIS line in skopeo-foo.1.md reads '**skopeo foo** ...'
+for md in *.1.md;do
+    synopsis=$(egrep -A1 '^#* SYNOPSIS' $md|tail -1)
+
+    # Command name must be bracketed by double asterisks; options and
+    # arguments are bracketed by single ones.
+    #   E.g. '**skopeo copy** [*options*] _..._'
+    # Get the command name, and confirm that it matches the md file name.
+    cmd=$(echo "$synopsis" | sed -E -e 's/^\*\*([^*]+)\*\*.*/\1/' | tr -d \*)
+    # Use sed, not tr, so we only replace the first dash: we want
+    # skopeo-list-tags -> "skopeo list-tags", not "skopeo list tags"
+    md_nodash=$(basename "$md" .1.md | sed -e 's/-/ /')
+    if [ "$cmd" != "$md_nodash" ]; then
+        echo
+        printf "Inconsistent program name in SYNOPSIS in %s:\n" $md
+        printf "  SYNOPSIS = %s (expected: '%s')\n" "$cmd" "$md_nodash"
+        rc=1
+    fi
+
+    # The convention is to use UPPER CASE in 'skopeo foo --help',
+    # but *lower case bracketed by asterisks* in the man page
+    if expr "$synopsis" : ".*[A-Z]" >/dev/null; then
+        echo
+        printf "Inconsistent capitalization in SYNOPSIS in %s\n" $md
+        printf "  '%s' should not contain upper-case characters\n" "$synopsis"
+        rc=1
+    fi
+
+    # (for debugging, and getting a sense of standard conventions)
+    #printf "  %-32s ------ '%s'\n" $md "$synopsis"
+
+    # If bin/skopeo is available, run "cmd --help" and compare Usage
+    # messages. This is complicated, so do it in a helper function.
+    compare_usage "$md_nodash" "$synopsis"
+done
+
+
+exit $rc

hack/tree_status.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+set -e
+
+STATUS=$(git status --porcelain)
+if [[ -z $STATUS ]]
+then
+	echo "tree is clean"
+else
+	echo "tree is dirty, please commit all changes and sync the vendor.conf"
+	echo ""
+	echo "$STATUS"
+	exit 1
+fi

hack/vendor.sh

@@ -1,27 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-cd "$(dirname "$BASH_SOURCE")/.."
-rm -rf vendor/
-source 'hack/.vendor-helpers.sh'
-
-clone git github.com/codegangsta/cli v1.2.0
-clone git github.com/Sirupsen/logrus v0.8.7
-clone git github.com/vbatts/tar-split master
-clone git github.com/gorilla/mux master
-clone git github.com/gorilla/context master
-clone git golang.org/x/net master https://github.com/golang/net.git
-clone git github.com/go-check/check v1
-
-clone git github.com/docker/docker v1.10.2
-clone git github.com/docker/engine-api v0.2.3
-clone git github.com/docker/distribution 0f2d99b13ae0cfbcf118eff103e6e680b726b47e
-
-clone git github.com/docker/go-connections master
-clone git github.com/docker/go-units master
-clone git github.com/docker/libtrust master
-clone git github.com/opencontainers/runc master
-
-clean
-
-mv vendor/src/* vendor/

hack/xref-helpmsgs-manpages

@@ -0,0 +1,277 @@
+#!/usr/bin/perl
+#
+# xref-helpmsgs-manpages - cross-reference --help options against man pages
+#
+package LibPod::CI::XrefHelpmsgsManpages;
+
+use v5.14;
+use utf8;
+
+use strict;
+use warnings;
+
+(our $ME = $0) =~ s|.*/||;
+our $VERSION = '0.1';
+
+# For debugging, show data structures using DumpTree($var)
+#use Data::TreeDumper; $Data::TreeDumper::Displayaddress = 0;
+
+# unbuffer output
+$| = 1;
+
+###############################################################################
+# BEGIN user-customizable section
+
+# Path to skopeo executable
+my $Default_Skopeo = './bin/skopeo';
+my $SKOPEO = $ENV{SKOPEO} || $Default_Skopeo;
+
+# Path to all doc files (markdown)
+my $Docs_Path = 'docs';
+
+# Global error count
+my $Errs = 0;
+
+# END   user-customizable section
+###############################################################################
+
+###############################################################################
+# BEGIN boilerplate args checking, usage messages
+
+sub usage {
+    print  <<"END_USAGE";
+Usage: $ME [OPTIONS]
+
+$ME recursively runs 'skopeo --help' against
+all subcommands; and recursively reads skopeo-*.1.md files
+in $Docs_Path, then cross-references that each --help
+option is listed in the appropriate man page and vice-versa.
+
+$ME invokes '\$SKOPEO' (default: $Default_Skopeo).
+
+Exit status is zero if no inconsistencies found, one otherwise
+
+OPTIONS:
+
+  -v, --verbose  show verbose progress indicators
+  -n, --dry-run  make no actual changes
+
+  --help         display this message
+  --version      display program name and version
+END_USAGE
+
+    exit;
+}
+
+# Command-line options.  Note that this operates directly on @ARGV !
+our $debug   = 0;
+our $verbose = 0;
+sub handle_opts {
+    use Getopt::Long;
+    GetOptions(
+        'debug!'     => \$debug,
+        'verbose|v'  => \$verbose,
+
+        help         => \&usage,
+        version      => sub { print "$ME version $VERSION\n"; exit 0 },
+    ) or die "Try `$ME --help' for help\n";
+}
+
+# END   boilerplate args checking, usage messages
+###############################################################################
+
+############################## CODE BEGINS HERE ###############################
+
+# The term is "modulino".
+__PACKAGE__->main()                                     unless caller();
+
+# Main code.
+sub main {
+    # Note that we operate directly on @ARGV, not on function parameters.
+    # This is deliberate: it's because Getopt::Long only operates on @ARGV
+    # and there's no clean way to make it use @_.
+    handle_opts();                      # will set package globals
+
+    # Fetch command-line arguments.  Barf if too many.
+    die "$ME: Too many arguments; try $ME --help\n"                 if @ARGV;
+
+    my $help = skopeo_help();
+    my $man  = skopeo_man('skopeo');
+
+    xref_by_help($help, $man);
+    xref_by_man($help, $man);
+
+    exit !!$Errs;
+}
+
+###############################################################################
+# BEGIN cross-referencing
+
+##################
+#  xref_by_help  #  Find keys in '--help' but not in man
+##################
+sub xref_by_help {
+    my ($help, $man, @subcommand) = @_;
+
+    for my $k (sort keys %$help) {
+        if (exists $man->{$k}) {
+            if (ref $help->{$k}) {
+                xref_by_help($help->{$k}, $man->{$k}, @subcommand, $k);
+            }
+            # Otherwise, non-ref is leaf node such as a --option
+        }
+        else {
+            my $man = $man->{_path} || 'man';
+            warn "$ME: skopeo @subcommand --help lists $k, but $k not in $man\n";
+            ++$Errs;
+        }
+    }
+}
+
+#################
+#  xref_by_man  #  Find keys in man pages but not in --help
+#################
+#
+# In an ideal world we could share the functionality in one function; but
+# there are just too many special cases in man pages.
+#
+sub xref_by_man {
+    my ($help, $man, @subcommand) = @_;
+
+    # FIXME: this generates way too much output
+    for my $k (grep { $_ ne '_path' } sort keys %$man) {
+        if (exists $help->{$k}) {
+            if (ref $man->{$k}) {
+                xref_by_man($help->{$k}, $man->{$k}, @subcommand, $k);
+            }
+        }
+        elsif ($k ne '--help' && $k ne '-h') {
+            my $man = $man->{_path} || 'man';
+
+            warn "$ME: skopeo @subcommand: $k in $man, but not --help\n";
+            ++$Errs;
+        }
+    }
+}
+
+# END   cross-referencing
+###############################################################################
+# BEGIN data gathering
+
+#################
+#  skopeo_help  #  Parse output of 'skopeo [subcommand] --help'
+#################
+sub skopeo_help {
+    my %help;
+    open my $fh, '-|', $SKOPEO, @_, '--help'
+        or die "$ME: Cannot fork: $!\n";
+    my $section = '';
+    while (my $line = <$fh>) {
+        # Cobra is blessedly consistent in its output:
+        #    Usage: ...
+        #    Available Commands:
+        #       ....
+        #    Options:
+        #       ....
+        #
+        # Start by identifying the section we're in...
+        if ($line =~ /^Available\s+(Commands):/) {
+            $section = lc $1;
+        }
+        elsif ($line =~ /^(Flags):/) {
+            $section = lc $1;
+        }
+
+        # ...then track commands and options. For subcommands, recurse.
+        elsif ($section eq 'commands') {
+            if ($line =~ /^\s{1,4}(\S+)\s/) {
+                my $subcommand = $1;
+                print "> skopeo @_ $subcommand\n"               if $debug;
+                $help{$subcommand} = skopeo_help(@_, $subcommand)
+                    unless $subcommand eq 'help';       # 'help' not in man
+            }
+        }
+        elsif ($section eq 'flags') {
+            # Handle '--foo' or '-f, --foo'
+            if ($line =~ /^\s{1,10}(--\S+)\s/) {
+                print "> skopeo @_ $1\n"                        if $debug;
+                $help{$1} = 1;
+            }
+            elsif ($line =~ /^\s{1,10}(-\S),\s+(--\S+)\s/) {
+                print "> skopeo @_ $1, $2\n"                    if $debug;
+                $help{$1} = $help{$2} = 1;
+            }
+        }
+    }
+    close $fh
+        or die "$ME: Error running 'skopeo @_ --help'\n";
+
+    return \%help;
+}
+
+
+################
+#  skopeo_man  #  Parse contents of skopeo-*.1.md
+################
+sub skopeo_man {
+    my $command = shift;
+    my $manpath = "$Docs_Path/$command.1.md";
+    print "** $manpath \n"                              if $debug;
+
+    my %man = (_path => $manpath);
+    open my $fh, '<', $manpath
+        or die "$ME: Cannot read $manpath: $!\n";
+    my $section = '';
+    my @most_recent_flags;
+    my $previous_subcmd = '';
+    while (my $line = <$fh>) {
+        chomp $line;
+        next unless $line;		# skip empty lines
+
+        # .md files designate sections with leading double hash
+        if ($line =~ /^##\s*OPTIONS/) {
+            $section = 'flags';
+        }
+        elsif ($line =~ /^\#\#\s+(SUB)?COMMANDS/) {
+            $section = 'commands';
+        }
+        elsif ($line =~ /^\#\#[^#]/) {
+            $section = '';
+        }
+
+        # This will be a table containing subcommand names, links to man pages.
+        elsif ($section eq 'commands') {
+            # In skopeo.1.md
+            if ($line =~ /^\|\s*\[skopeo-(\S+?)\(\d\)\]/) {
+                # $1 will be changed by recursion _*BEFORE*_ left-hand assignment
+                my $subcmd = $1;
+                $man{$subcmd} = skopeo_man("skopeo-$1");
+            }
+        }
+
+        # Options should always be of the form '**-f**' or '**\-\-flag**',
+        # possibly separated by comma-space.
+        elsif ($section eq 'flags') {
+            # If option has long and short form, long must come first.
+            # This is a while-loop because there may be multiple long
+            # option names (not in skopeo ATM, but leave the possibility open)
+            while ($line =~ s/^\*\*(--[a-z0-9.-]+)\*\*(=\*[a-zA-Z0-9-]+\*)?(,\s+)?//g) {
+                $man{$1} = 1;
+            }
+            # Short form
+            if ($line =~ s/^\*\*(-[a-zA-Z0-9.])\*\*(=\*[a-zA-Z0-9-]+\*)?//g) {
+                $man{$1} = 1;
+            }
+        }
+    }
+    close $fh;
+
+    return \%man;
+}
+
+
+
+# END   data gathering
+###############################################################################
+
+1;

inspect.go

@@ -1,35 +0,0 @@
-package main
-
-import (
-	"fmt"
-
-	"github.com/codegangsta/cli"
-	"github.com/runcom/skopeo/docker"
-	"github.com/runcom/skopeo/types"
-)
-
-const (
-	imgTypeDocker = "docker"
-	imgTypeAppc   = "appc"
-)
-
-func inspect(c *cli.Context) (*types.ImageInspect, error) {
-	var (
-		imgInspect *types.ImageInspect
-		err        error
-		name       = c.Args().First()
-		imgType    = c.GlobalString("img-type")
-	)
-	switch imgType {
-	case imgTypeDocker:
-		imgInspect, err = docker.GetData(c, name)
-		if err != nil {
-			return nil, err
-		}
-	case imgTypeAppc:
-		return nil, fmt.Errorf("sorry, not implemented yet")
-	default:
-		return nil, fmt.Errorf("%s image type is invalid, please use either 'docker' or 'appc'", imgType)
-	}
-	return imgInspect, nil
-}

install.md

@@ -0,0 +1,243 @@
+# Installing Skopeo
+
+## Distribution Packages
+`skopeo` may already be packaged in your distribution.
+
+### Fedora
+
+```sh
+sudo dnf -y install skopeo
+```
+
+### RHEL/CentOS ≥ 8 and CentOS Stream
+
+```sh
+sudo dnf -y install skopeo
+```
+
+### RHEL/CentOS ≤ 7.x
+
+```sh
+sudo yum -y install skopeo
+```
+
+### openSUSE
+
+```sh
+sudo zypper install skopeo
+```
+
+### Alpine
+
+```sh
+sudo apk add skopeo
+```
+
+### macOS
+
+```sh
+brew install skopeo
+```
+
+### Nix / NixOS
+```sh
+$ nix-env -i skopeo
+```
+
+### Debian
+
+The skopeo package is available on [Bullseye](https://packages.debian.org/bullseye/skopeo),
+and Debian Testing and Unstable.
+
+```bash
+# Debian Bullseye, Testing or Unstable/Sid
+sudo apt-get update
+sudo apt-get -y install skopeo
+```
+
+### Raspberry Pi OS arm64 (beta)
+
+Raspberry Pi OS uses the standard Debian's repositories,
+so it is fully compatible with Debian's arm64 repository.
+You can simply follow the [steps for Debian](#debian) to install Skopeo.
+
+
+### Ubuntu
+
+The skopeo package is available in the official repositories for Ubuntu 20.10
+and newer.
+
+```bash
+# Ubuntu 20.10 and newer
+sudo apt-get -y update
+sudo apt-get -y install skopeo
+```
+
+The [Kubic project](https://build.opensuse.org/package/show/devel:kubic:libcontainers:stable/skopeo)
+provides packages for Ubuntu 20.04 (it should also work with direct derivatives like Pop!\_OS).
+
+```bash
+. /etc/os-release
+echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
+curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/Release.key | sudo apt-key add -
+sudo apt-get update
+sudo apt-get -y upgrade
+sudo apt-get -y install skopeo
+```
+
+### Windows
+Skopeo has not yet been packaged for Windows. There is an [open feature
+request](https://github.com/containers/skopeo/issues/715) and contributions are
+always welcome.
+
+
+## Container Images
+
+Skopeo container images are available at `quay.io/skopeo/stable:latest`.
+For example,
+
+```bash
+podman run docker://quay.io/skopeo/stable:latest copy --help
+```
+
+[Read more](./contrib/skopeoimage/README.md).
+
+
+## Building from Source
+
+Otherwise, read on for building and installing it from source:
+
+To build the `skopeo` binary you need at least Go 1.12.
+
+There are two ways to build skopeo: in a container, or locally without a
+container. Choose the one which better matches your needs and environment.
+
+### Building without a container
+
+Building without a container requires a bit more manual work and setup in your
+environment, but it is more flexible:
+
+- It should work in more environments (e.g. for native macOS builds)
+- It does not require root privileges (after dependencies are installed)
+- It is faster, therefore more convenient for developing `skopeo`.
+
+Install the necessary dependencies:
+
+```bash
+# Fedora:
+sudo dnf install gpgme-devel libassuan-devel btrfs-progs-devel device-mapper-devel
+```
+
+```bash
+# Ubuntu (`libbtrfs-dev` requires Ubuntu 18.10 and above):
+sudo apt install libgpgme-dev libassuan-dev libbtrfs-dev libdevmapper-dev pkg-config
+```
+
+```bash
+# macOS:
+brew install gpgme
+```
+
+```bash
+# openSUSE:
+sudo zypper install libgpgme-devel device-mapper-devel libbtrfs-devel glib2-devel
+```
+
+Make sure to clone this repository in your `GOPATH` - otherwise compilation fails.
+
+```bash
+git clone https://github.com/containers/skopeo $GOPATH/src/github.com/containers/skopeo
+cd $GOPATH/src/github.com/containers/skopeo && make bin/skopeo
+```
+
+By default the `make` command (make all) will build bin/skopeo and the documentation locally.
+
+Building of documentation requires `go-md2man`. On systems that do not have this tool, the
+document generation can be skipped by passing `DISABLE_DOCS=1`:
+```
+DISABLE_DOCS=1 make
+```
+
+### Building documentation
+
+To build the manual you will need go-md2man.
+
+```bash
+# Debian:
+sudo apt-get install go-md2man
+```
+
+```
+# Fedora:
+sudo dnf install go-md2man
+```
+
+```
+# MacOS:
+brew install go-md2man
+```
+
+Then
+
+```bash
+make docs
+```
+
+### Building in a container
+
+Building in a container is simpler, but more restrictive:
+
+- It requires the `podman` command and the ability to run Linux containers.
+- The created executable is a Linux executable, and depends on dynamic libraries
+  which may only be available only in a container of a similar Linux
+  distribution.
+
+```bash
+$ make binary
+```
+
+### Installation
+
+Finally, after the binary and documentation is built:
+
+```bash
+sudo make install
+```
+
+### Building a static binary
+
+There have been efforts in the past to produce and maintain static builds, but the maintainers prefer to run Skopeo using distro packages or within containers. This is because static builds of Skopeo tend to be unreliable and functionally restricted. Specifically:
+- Some features of Skopeo depend on non-Go libraries like `libgpgme` and `libdevmapper`.
+- Generating static Go binaries uses native Go libraries, which don't support e.g. `.local` or LDAP-based name resolution.
+
+That being said, if you would like to build Skopeo statically, you might be able to do it by combining all the following steps.
+- Export environment variable `CGO_ENABLED=0` (disabling CGO causes Go to prefer native libraries when possible, instead of dynamically linking against system libraries).
+- Set the `BUILDTAGS=containers_image_openpgp` Make variable (this remove the dependency on `libgpgme` and its companion libraries).
+- Clear the `GO_DYN_FLAGS` Make variable (which otherwise seems to force the creation of a dynamic executable).
+
+The following command implements these steps to produce a static binary in the `bin` subdirectory of the repository:
+
+```bash
+docker run -v $PWD:/src -w /src -e CGO_ENABLED=0 golang \
+make BUILDTAGS=containers_image_openpgp GO_DYN_FLAGS=
+```
+
+Keep in mind that the resulting binary is unsupported and might crash randomly. Only use if you know what you're doing!
+
+For more information, history, and context about static builds, check the following issues:
+
+- [#391] - Consider distributing statically built binaries as part of release
+- [#669] - Static build fails with segmentation violation
+- [#670] - Fixing static binary build using container
+- [#755] - Remove static and in-container targets from Makefile
+- [#932] - Add nix derivation for static builds
+- [#1336] - Unable to run skopeo on Fedora 30 (due to dyn lib dependency)
+- [#1478] - Publish binary releases to GitHub (request+discussion)
+
+[#391]: https://github.com/containers/skopeo/issues/391
+[#669]: https://github.com/containers/skopeo/issues/669
+[#670]: https://github.com/containers/skopeo/issues/670
+[#755]: https://github.com/containers/skopeo/issues/755
+[#932]: https://github.com/containers/skopeo/issues/932
+[#1336]: https://github.com/containers/skopeo/issues/1336
+[#1478]: https://github.com/containers/skopeo/issues/1478

integration/blocked_test.go

@@ -0,0 +1,34 @@
+package main
+
+import (
+	"gopkg.in/check.v1"
+)
+
+const blockedRegistriesConf = "./fixtures/blocked-registries.conf"
+const blockedErrorRegex = `.*registry registry-blocked.com is blocked in .*`
+
+func (s *SkopeoSuite) TestCopyBlockedSource(c *check.C) {
+	assertSkopeoFails(c, blockedErrorRegex,
+		"--registries-conf", blockedRegistriesConf, "copy",
+		"docker://registry-blocked.com/image:test",
+		"docker://registry-unblocked.com/image:test")
+}
+
+func (s *SkopeoSuite) TestCopyBlockedDestination(c *check.C) {
+	assertSkopeoFails(c, blockedErrorRegex,
+		"--registries-conf", blockedRegistriesConf, "copy",
+		"docker://registry-unblocked.com/image:test",
+		"docker://registry-blocked.com/image:test")
+}
+
+func (s *SkopeoSuite) TestInspectBlocked(c *check.C) {
+	assertSkopeoFails(c, blockedErrorRegex,
+		"--registries-conf", blockedRegistriesConf, "inspect",
+		"docker://registry-blocked.com/image:test")
+}
+
+func (s *SkopeoSuite) TestDeleteBlocked(c *check.C) {
+	assertSkopeoFails(c, blockedErrorRegex,
+		"--registries-conf", blockedRegistriesConf, "delete",
+		"docker://registry-blocked.com/image:test")
+}

integration/check_test.go

@@ -3,20 +3,15 @@ package main
 import (
 	"fmt"
 	"os/exec"
-	"strings"
 	"testing"
 
-	"github.com/go-check/check"
+	"github.com/containers/skopeo/version"
+	"gopkg.in/check.v1"
 )
 
 const (
 	privateRegistryURL0 = "127.0.0.1:5000"
 	privateRegistryURL1 = "127.0.0.1:5001"
-	privateRegistryURL2 = "127.0.0.1:5002"
-	privateRegistryURL3 = "127.0.0.1:5003"
-	privateRegistryURL4 = "127.0.0.1:5004"
-
-	skopeoBinary = "skopeo"
 )
 
 func Test(t *testing.T) {
@@ -28,40 +23,21 @@ func init() {
 }
 
 type SkopeoSuite struct {
-	regV1         *testRegistryV1
 	regV2         *testRegistryV2
-	regV2Shema1   *testRegistryV2
-	regV1WithAuth *testRegistryV1
 	regV2WithAuth *testRegistryV2
 }
 
 func (s *SkopeoSuite) SetUpSuite(c *check.C) {
-
+	_, err := exec.LookPath(skopeoBinary)
+	c.Assert(err, check.IsNil)
+	s.regV2 = setupRegistryV2At(c, privateRegistryURL0, false, false)
+	s.regV2WithAuth = setupRegistryV2At(c, privateRegistryURL1, true, false)
 }
 
 func (s *SkopeoSuite) TearDownSuite(c *check.C) {
-
-}
-
-func (s *SkopeoSuite) SetUpTest(c *check.C) {
-	_, err := exec.LookPath(skopeoBinary)
-	c.Assert(err, check.IsNil)
-
-	s.regV1 = setupRegistryV1At(c, privateRegistryURL0, false) // not used
-	s.regV2 = setupRegistryV2At(c, privateRegistryURL1, false, false)
-	s.regV2Shema1 = setupRegistryV2At(c, privateRegistryURL2, false, true)
-	s.regV1WithAuth = setupRegistryV1At(c, privateRegistryURL3, true) // not used
-	s.regV2WithAuth = setupRegistryV2At(c, privateRegistryURL4, true, false)
-}
-
-func (s *SkopeoSuite) TearDownTest(c *check.C) {
-	// not checking V1 registries now...
 	if s.regV2 != nil {
 		s.regV2.Close()
 	}
-	if s.regV2Shema1 != nil {
-		s.regV2Shema1.Close()
-	}
 	if s.regV2WithAuth != nil {
 		//cmd := exec.Command("docker", "logout", s.regV2WithAuth)
 		//c.Assert(cmd.Run(), check.IsNil)
@@ -73,43 +49,65 @@ func (s *SkopeoSuite) TearDownTest(c *check.C) {
 //func skopeoCmd()
 
 func (s *SkopeoSuite) TestVersion(c *check.C) {
-	out, err := exec.Command(skopeoBinary, "--version").CombinedOutput()
-	c.Assert(err, check.IsNil, check.Commentf(string(out)))
-	wanted := skopeoBinary + " version "
-	if !strings.Contains(string(out), wanted) {
-		c.Fatalf("wanted %s, got %s", wanted, string(out))
-	}
+	wanted := fmt.Sprintf(".*%s version %s.*", skopeoBinary, version.Version)
+	assertSkopeoSucceeds(c, wanted, "--version")
 }
 
 func (s *SkopeoSuite) TestCanAuthToPrivateRegistryV2WithoutDockerCfg(c *check.C) {
-	out, err := exec.Command(skopeoBinary, "--docker-cfg=''", "--username="+s.regV2WithAuth.username, "--password="+s.regV2WithAuth.password, fmt.Sprintf("%s/busybox:latest", s.regV2WithAuth.url)).CombinedOutput()
-	c.Assert(err, check.NotNil, check.Commentf(string(out)))
-	wanted := "Error: image busybox not found"
-	if !strings.Contains(string(out), wanted) {
-		c.Fatalf("wanted %s, got %s", wanted, string(out))
-	}
+	wanted := ".*manifest unknown: manifest unknown.*"
+	assertSkopeoFails(c, wanted, "--tls-verify=false", "inspect", "--creds="+s.regV2WithAuth.username+":"+s.regV2WithAuth.password, fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
 }
 
 func (s *SkopeoSuite) TestNeedAuthToPrivateRegistryV2WithoutDockerCfg(c *check.C) {
-	out, err := exec.Command(skopeoBinary, "--docker-cfg=''", fmt.Sprintf("%s/busybox:latest", s.regV2WithAuth.url)).CombinedOutput()
-	c.Assert(err, check.NotNil, check.Commentf(string(out)))
-	wanted := "no basic auth credentials"
-	if !strings.Contains(string(out), wanted) {
-		c.Fatalf("wanted %s, got %s", wanted, string(out))
-	}
+	wanted := ".*unauthorized: authentication required.*"
+	assertSkopeoFails(c, wanted, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
+}
+
+func (s *SkopeoSuite) TestCertDirInsteadOfCertPath(c *check.C) {
+	wanted := ".*unknown flag: --cert-path.*"
+	assertSkopeoFails(c, wanted, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url), "--cert-path=/")
+	wanted = ".*unauthorized: authentication required.*"
+	assertSkopeoFails(c, wanted, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url), "--cert-dir=/etc/docker/certs.d/")
 }
 
 // TODO(runcom): as soon as we can push to registries ensure you can inspect here
 // not just get image not found :)
 func (s *SkopeoSuite) TestNoNeedAuthToPrivateRegistryV2ImageNotFound(c *check.C) {
-	out, err := exec.Command(skopeoBinary, fmt.Sprintf("%s/busybox:latest", s.regV2.url)).CombinedOutput()
+	out, err := exec.Command(skopeoBinary, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2.url)).CombinedOutput()
 	c.Assert(err, check.NotNil, check.Commentf(string(out)))
-	wanted := "Error: image busybox not found"
-	if !strings.Contains(string(out), wanted) {
-		c.Fatalf("wanted %s, got %s", wanted, string(out))
-	}
-	wanted = "no basic auth credentials"
-	if strings.Contains(string(out), wanted) {
-		c.Fatalf("not wanted %s, got %s", wanted, string(out))
-	}
+	wanted := ".*manifest unknown.*"
+	c.Assert(string(out), check.Matches, "(?s)"+wanted) // (?s) : '.' will also match newlines
+	wanted = ".*unauthorized: authentication required.*"
+	c.Assert(string(out), check.Not(check.Matches), "(?s)"+wanted) // (?s) : '.' will also match newlines
+}
+
+func (s *SkopeoSuite) TestInspectFailsWhenReferenceIsInvalid(c *check.C) {
+	assertSkopeoFails(c, `.*Invalid image name.*`, "inspect", "unknown")
+}
+
+func (s *SkopeoSuite) TestLoginLogout(c *check.C) {
+	wanted := "^Login Succeeded!\n$"
+	assertSkopeoSucceeds(c, wanted, "login", "--tls-verify=false", "--username="+s.regV2WithAuth.username, "--password="+s.regV2WithAuth.password, s.regV2WithAuth.url)
+	// test --get-login returns username
+	wanted = fmt.Sprintf("^%s\n$", s.regV2WithAuth.username)
+	assertSkopeoSucceeds(c, wanted, "login", "--tls-verify=false", "--get-login", s.regV2WithAuth.url)
+	// test logout
+	wanted = fmt.Sprintf("^Removed login credentials for %s\n$", s.regV2WithAuth.url)
+	assertSkopeoSucceeds(c, wanted, "logout", s.regV2WithAuth.url)
+}
+
+func (s *SkopeoSuite) TestCopyWithLocalAuth(c *check.C) {
+	wanted := "^Login Succeeded!\n$"
+	assertSkopeoSucceeds(c, wanted, "login", "--tls-verify=false", "--username="+s.regV2WithAuth.username, "--password="+s.regV2WithAuth.password, s.regV2WithAuth.url)
+	// copy to private registry using local authentication
+	imageName := fmt.Sprintf("docker://%s/busybox:mine", s.regV2WithAuth.url)
+	assertSkopeoSucceeds(c, "", "copy", "--dest-tls-verify=false", testFQIN+":latest", imageName)
+	// inspect from private registry
+	assertSkopeoSucceeds(c, "", "inspect", "--tls-verify=false", imageName)
+	// logout from the registry
+	wanted = fmt.Sprintf("^Removed login credentials for %s\n$", s.regV2WithAuth.url)
+	assertSkopeoSucceeds(c, wanted, "logout", s.regV2WithAuth.url)
+	// inspect from private registry should fail after logout
+	wanted = ".*unauthorized: authentication required.*"
+	assertSkopeoFails(c, wanted, "inspect", "--tls-verify=false", imageName)
 }

integration/decompress-dirs.sh

@@ -0,0 +1,23 @@
+#!/bin/bash -e
+# Account for differences between dir: images that are solely due to one being
+# compressed (fresh from a registry) and the other not being compressed (read
+# from storage, which decompressed it and had to reassemble the layer blobs).
+for dir in "$@" ; do
+    # Updating the manifest's blob digests may change the formatting, so
+    # use jq to get them into similar shape.
+    jq -M . "${dir}"/manifest.json > "${dir}"/manifest.json.tmp && mv "${dir}"/manifest.json.tmp "${dir}"/manifest.json
+    for candidate in "${dir}"/???????????????????????????????????????????????????????????????? ; do
+        # If a digest-identified file looks like it was compressed,
+        # decompress it, and replace its hash and size in the manifest
+        # with the values for their decompressed versions.
+        uncompressed=`zcat "${candidate}" 2> /dev/null | sha256sum | cut -c1-64`
+        if test $? -eq 0 ; then
+            if test "$uncompressed" != e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ; then
+                zcat "${candidate}" > "${dir}"/${uncompressed}
+                sed -r -i -e "s#sha256:$(basename ${candidate})#sha256:${uncompressed}#g" "${dir}"/manifest.json
+                sed -r -i -e "s#\"size\": $(wc -c < ${candidate}),#\"size\": $(wc -c < ${dir}/${uncompressed}),#g" "${dir}"/manifest.json
+                rm -f "${candidate}"
+            fi
+        fi
+    done
+done

integration/fixtures/blocked-registries.conf

@@ -0,0 +1,6 @@
+[[registry]]
+location = "registry-unblocked.com"
+
+[[registry]]
+location = "registry-blocked.com"
+blocked = true

integration/fixtures/image.manifest.json

@@ -0,0 +1,26 @@
+{
+    "schemaVersion": 2,
+    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+    "config": {
+        "mediaType": "application/vnd.docker.container.image.v1+json",
+        "size": 7023,
+        "digest": "sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7"
+    },
+    "layers": [
+        {
+            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "size": 32654,
+            "digest": "sha256:e692418e4cbaf90ca69d05a66403747baa33ee08806650b51fab815ad7fc331f"
+        },
+        {
+            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "size": 16724,
+            "digest": "sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b"
+        },
+        {
+            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "size": 73109,
+            "digest": "sha256:ec4b8955958665577945c89419d1af06b5f7636b4ac3da7f12184802ad867736"
+        }
+    ]
+}

integration/fixtures/policy.json

@@ -0,0 +1,136 @@
+{
+    "default": [
+        {
+            "type": "reject"
+        }
+    ],
+    "transports": {
+        "docker": {
+            "localhost:5555": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/personal-pubkey.gpg"
+                }
+            ],
+            "localhost:5000/myns/extension": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/personal-pubkey.gpg"
+                }
+            ],
+            "localhost:5006/myns/mirroring-primary": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/personal-pubkey.gpg"
+                }
+            ],
+            "localhost:5006/myns/mirroring-mirror": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/personal-pubkey.gpg"
+                }
+            ],
+            "localhost:5006/myns/mirroring-remap": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/personal-pubkey.gpg",
+                    "signedIdentity": {
+                        "type": "remapIdentity",
+                        "prefix": "localhost:5006/myns/mirroring-remap",
+                        "signedPrefix": "localhost:5006/myns/mirroring-primary"
+                    }
+                }
+            ],
+            "docker.io/openshift": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ],
+            "quay.io/openshift": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "dir": {
+            "/@dirpath@": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/official-pubkey.gpg",
+                    "signedIdentity": {
+                        "type": "exactRepository",
+                        "dockerRepository": "localhost:5000/myns/official"
+                    }
+                }
+            ],
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "atomic": {
+            "localhost:5006/myns/personal": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/personal-pubkey.gpg"
+                }
+            ],
+            "localhost:5006/myns/official": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/official-pubkey.gpg"
+                }
+            ],
+            "localhost:5006/myns/naming:test1": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/official-pubkey.gpg"
+                }
+            ],
+            "localhost:5006/myns/naming:naming": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/official-pubkey.gpg",
+                    "signedIdentity": {
+                        "type": "exactRepository",
+                        "dockerRepository": "localhost:5006/myns/official"
+                    }
+                }
+            ],
+            "localhost:5006/myns/cosigned:cosigned": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/official-pubkey.gpg",
+                    "signedIdentity": {
+                        "type": "exactRepository",
+                        "dockerRepository": "localhost:5006/myns/official"
+                    }
+                },
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/personal-pubkey.gpg"
+                }
+            ],
+            "localhost:5000/myns/extension": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/personal-pubkey.gpg"
+                }
+            ]
+        }
+    }
+}

integration/fixtures/registries.conf

@@ -0,0 +1,34 @@
+[[registry]]
+location = "mirror.invalid"
+mirror = [
+    { location = "mirror-0.invalid" },
+    { location = "mirror-1.invalid" },
+    { location = "gcr.io/google-containers" },
+]
+
+# This entry is currently unused and exists only to ensure
+# that the mirror.invalid/busybox is not rewritten twice.
+[[registry]]
+location = "gcr.io"
+prefix = "gcr.io/google-containers"
+
+[[registry]]
+location = "invalid.invalid"
+mirror = [
+    { location = "invalid-mirror-0.invalid" },
+    { location = "invalid-mirror-1.invalid" },
+]
+
+[[registry]]
+location = "gcr.invalid"
+prefix = "gcr.invalid/foo/bar"
+mirror = [
+    { location = "wrong-mirror-0.invalid" },
+    { location = "gcr.io/google-containers" },
+]
+
+[[registry]]
+location = "localhost:5006/myns/mirroring-primary"
+mirror = [
+    { location = "localhost:5006/myns/mirroring-mirror"},
+]

integration/fixtures/registries.yaml

@@ -0,0 +1,6 @@
+docker:
+   localhost:5555:
+        sigstore: file://@sigstore@
+   localhost:5555/public:
+        sigstore-staging: file://@split-staging@
+        sigstore: @split-read@