Merge pull request #2380 from TomSweeneyRedHat/dev/tsweeney/jfrog1-1.15

[release-1.15] Fixes an interoperability issue while listing tags, bump to v1.15.2
[release-1.15] Bump to v1.15.2
2026-01-30 05:49:52 +00:00 · 2024-07-11 19:06:03 +02:00 · 2024-07-10 21:03:07 -04:00 · 2024-07-10 21:03:07 -04:00 · 2024-06-27 20:29:26 +02:00 · 2024-06-27 14:11:56 -04:00
2277 changed files with 392198 additions and 104856 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -20,13 +20,8 @@ env:
    # Save a little typing (path relative to $CIRRUS_WORKING_DIR)
    SCRIPT_BASE: "./contrib/cirrus"

-    ####
-    #### Cache-image names to test with (double-quotes around names are critical)
-    ####
-    FEDORA_NAME: "fedora-37"
-
    # Google-cloud VM Images
-    IMAGE_SUFFIX: "c6300530360713216"
+    IMAGE_SUFFIX: "c20240102t155643z-f39f38d13"
    FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"

    # Container FQIN's
@@ -52,7 +47,9 @@ validate_task:
        image: '${SKOPEO_CIDEV_CONTAINER_FQIN}'
        cpu: 4
        memory: 8
-    script: |
+    setup_script: |
+        make tools
+    test_script: |
        make validate-local
        make vendor && hack/tree_status.sh

@@ -75,14 +72,13 @@ doccheck_task:
      "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" doccheck

 osx_task:
-    # Don't run for docs-only or multi-arch image builds.
+    # Don't run for docs-only builds.
    # Also don't run on release-branches or their PRs,
    # since base container-image is not version-constrained.
    only_if: &not_docs_or_release_branch >-
        ($CIRRUS_BASE_BRANCH == $CIRRUS_DEFAULT_BRANCH ||
         $CIRRUS_BRANCH == $CIRRUS_DEFAULT_BRANCH ) &&
-        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' &&
-        $CIRRUS_CRON != 'multiarch'
+        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
    depends_on:
        - validate
    macos_instance:
@@ -91,7 +87,7 @@ osx_task:
        export PATH=$GOPATH/bin:$PATH
        brew update
        brew install gpgme go go-md2man
-        go install golang.org/x/lint/golint@latest
+        make tools
    test_script: |
        export PATH=$GOPATH/bin:$PATH
        go version
@@ -104,8 +100,7 @@ osx_task:
 cross_task:
    alias: cross
    only_if: >-
-        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' &&
-        $CIRRUS_CRON != 'multiarch'
+        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
    depends_on:
        - validate
    gce_instance: &standardvm
@@ -143,7 +138,7 @@ ostree-rs-ext_task:
        dockerfile: contrib/cirrus/ostree_ext.dockerfile
        docker_arguments:  # required build-args
            BASE_FQIN: quay.io/coreos-assembler/fcos-buildroot:testing-devel
-            CIRRUS_IMAGE_VERSION: 1
+            CIRRUS_IMAGE_VERSION: 2
    env:
        EXT_REPO_NAME: ostree-rs-ext
        EXT_REPO_HOME: $CIRRUS_WORKING_DIR/../$EXT_REPO_NAME
@@ -168,11 +163,10 @@ ostree-rs-ext_task:
 #####
 test_skopeo_task:
    alias: test_skopeo
-    # Don't test for [CI:DOCS], [CI:BUILD], or 'multiarch' cron.
+    # Don't test for [CI:DOCS], [CI:BUILD].
    only_if: >-
        $CIRRUS_CHANGE_TITLE !=~ '.*CI:BUILD.*' &&
-        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' &&
-        $CIRRUS_CRON != 'multiarch'
+        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
    depends_on:
        - validate
    gce_instance:
@@ -205,49 +199,6 @@ test_skopeo_task:
        "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" system


-image_build_task: &image-build
-    name: "Build multi-arch $CTXDIR"
-    alias: image_build
-    # Some of these container images take > 1h to build, limit
-    # this task to a specific Cirrus-Cron entry with this name.
-    only_if: $CIRRUS_CRON == 'multiarch'
-    timeout_in: 120m  # emulation is sssllllooooowwww
-    gce_instance:
-        <<: *standardvm
-        image_name: build-push-${IMAGE_SUFFIX}
-        # More muscle required for parallel multi-arch build
-        type: "n2-standard-4"
-    matrix:
-        - env:
-            CTXDIR: contrib/skopeoimage/upstream
-        - env:
-            CTXDIR: contrib/skopeoimage/testing
-        - env:
-            CTXDIR: contrib/skopeoimage/stable
-    env:
-        SKOPEO_USERNAME: ENCRYPTED[4195884d23b154553f2ddb26a63fc9fbca50ba77b3e447e4da685d8639ed9bc94b9a86a9c77272c8c80d32ead9ca48da]
-        SKOPEO_PASSWORD: ENCRYPTED[36e06f9befd17e5da2d60260edb9ef0d40e6312e2bba4cf881d383f1b8b5a18c8e5a553aea2fdebf39cebc6bd3b3f9de]
-        CONTAINERS_USERNAME: ENCRYPTED[dd722c734641f103b394a3a834d51ca5415347e378637cf98ee1f99e64aad2ec3dbd4664c0d94cb0e06b83d89e9bbe91]
-        CONTAINERS_PASSWORD: ENCRYPTED[d8b0fac87fe251cedd26c864ba800480f9e0570440b9eb264265b67411b253a626fb69d519e188e6c9a7f525860ddb26]
-    main_script:
-        - source /etc/automation_environment
-        - main.sh $CIRRUS_REPO_CLONE_URL $CTXDIR
-
-
-test_image_build_task:
-    <<: *image-build
-    alias: test_image_build
-    # Allow this to run inside a PR w/ [CI:BUILD] only.
-    only_if: $CIRRUS_PR != '' && $CIRRUS_CHANGE_TITLE =~ '.*CI:BUILD.*'
-    # This takes a LONG time, only run when requested.  N/B: Any task
-    # made to depend on this one will block FOREVER unless triggered.
-    # DO NOT ADD THIS TASK AS DEPENDENCY FOR `success_task`.
-    trigger_type: manual
-    # Overwrite all 'env', don't push anything, just do the build.
-    env:
-        DRYRUN: 1
-
-
 # This task is critical.  It updates the "last-used by" timestamp stored
 # in metadata for all VM images.  This mechanism functions in tandem with
 # an out-of-band pruning operation to remove disused VM images.
@@ -286,7 +237,6 @@ success_task:
        - cross
        - proxy_ostree_ext
        - test_skopeo
-        - image_build
        - meta
    container: *smallcontainer
    env:
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,10 +0,0 @@
-version: 2
-updates:
- package-ecosystem: gomod
-  directory: "/"
-  schedule:
-    interval: daily
-    time: "10:00"
-    timezone: Europe/Berlin
-  open-pull-requests-limit: 10
-
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -49,26 +49,4 @@
  /*************************************************
   *** Repository-specific configuration options ***
   *************************************************/
-
-  // Don't leave dep. update. PRs "hanging", assign them to people.
-  "assignees": ["containers/image-maintainers"],  // same for skopeo
-
-  /*************************************************
-   ***** Golang-specific configuration options *****
-   *************************************************/
-
-  "golang": {
-    // N/B: LAST MATCHING RULE WINS
-    // https://docs.renovatebot.com/configuration-options/#packagerules
-    "packageRules": [
-      // Package version retraction (https://go.dev/ref/mod#go-mod-file-retract)
-      // is broken in Renovate
-      // ref: https://github.com/renovatebot/renovate/issues/13012
-      {
-        "matchPackageNames": ["github.com/containers/common"],
-        // Both v1.0.0 and v1.0.1 should be ignored.
-        "allowedVersions": "!/v((1.0.0)|(1.0.1))$/"
-      },
-    ],
-  },
 }
--- a/.github/workflows/discussion_lock.yml
+++ b/.github/workflows/discussion_lock.yml
@@ -0,0 +1,20 @@
+---
+
+# See also:
+# https://github.com/containers/podman/blob/main/.github/workflows/discussion_lock.yml
+
+on:
+  schedule:
+    - cron:  '0 0 * * *'
+  # Debug: Allow triggering job manually in github-actions WebUI
+  workflow_dispatch: {}
+
+jobs:
+  # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows
+  closed_issue_discussion_lock:
+    uses: containers/podman/.github/workflows/discussion_lock.yml@main
+    secrets: inherit
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -17,7 +17,7 @@ jobs:
      pull-requests: write  # for actions/stale to close stale PRs
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/stale@v7
+    - uses: actions/stale@v9
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        stale-issue-message: 'A friendly reminder that this issue had no activity for 30 days.'
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -0,0 +1,3 @@
+---
+run:
+  timeout: 5m
--- a/.packit.yaml
+++ b/.packit.yaml
@@ -0,0 +1,98 @@
+---
+# See the documentation for more information:
+# https://packit.dev/docs/configuration/
+
+# NOTE: The Packit copr_build tasks help to check if every commit builds on
+# supported Fedora and CentOS Stream arches.
+# They do not block the current Cirrus-based workflow.
+
+downstream_package_name: skopeo
+upstream_tag_template: v{version}
+
+packages:
+  skopeo-fedora:
+    pkg_tool: fedpkg
+    specfile_path: rpm/skopeo.spec
+  skopeo-centos:
+    pkg_tool: centpkg
+    specfile_path: rpm/skopeo.spec
+  skopeo-rhel:
+    specfile_path: rpm/skopeo.spec
+
+srpm_build_deps:
+  - make
+
+jobs:
+  - job: copr_build
+    trigger: pull_request
+    packages: [skopeo-fedora]
+    notifications: &copr_build_failure_notification
+      failure_comment:
+        message: "Ephemeral COPR build failed. @containers/packit-build please check."
+    targets:
+      fedora-all-x86_64: {}
+      fedora-all-aarch64: {}
+      fedora-eln-x86_64:
+        additional_repos:
+          - "https://kojipkgs.fedoraproject.org/repos/eln-build/latest/x86_64/"
+      fedora-eln-aarch64:
+        additional_repos:
+          - "https://kojipkgs.fedoraproject.org/repos/eln-build/latest/aarch64/"
+    enable_net: true
+
+  - job: copr_build
+    trigger: pull_request
+    packages: [skopeo-centos]
+    notifications: *copr_build_failure_notification
+    targets:
+      - centos-stream-9-x86_64
+      - centos-stream-9-aarch64
+      - centos-stream-10-x86_64
+      - centos-stream-10-aarch64
+    enable_net: true
+
+  - job: copr_build
+    trigger: pull_request
+    packages: [skopeo-rhel]
+    notifications: *copr_build_failure_notification
+    targets:
+      - epel-9-x86_64
+      - epel-9-aarch64
+    enable_net: true
+
+  # Run on commit to main branch
+  - job: copr_build
+    trigger: commit
+    notifications:
+      failure_comment:
+        message: "podman-next COPR build failed. @containers/packit-build please check."
+    branch: main
+    owner: rhcontainerbot
+    project: podman-next
+    enable_net: true
+
+  # Sync to Fedora
+  - job: propose_downstream
+    trigger: release
+    packages: [skopeo-fedora]
+    update_release: false
+    dist_git_branches:
+      - fedora-all
+
+  # Sync to CentOS Stream
+  - job: propose_downstream
+    trigger: release
+    packages: [skopeo-centos]
+    update_release: false
+    dist_git_branches:
+      - c10s
+
+  - job: koji_build
+    trigger: commit
+    dist_git_branches:
+      - fedora-all
+
+  - job: bodhi_update
+    trigger: commit
+    dist_git_branches:
+      - fedora-branched # rawhide updates are created automatically
--- a/53
+++ b/53
@@ -24,6 +24,11 @@ GOBIN := $(shell $(GO) env GOBIN)
 GOOS ?= $(shell go env GOOS)
 GOARCH ?= $(shell go env GOARCH)

+# N/B: This value is managed by Renovate, manual changes are
+# possible, as long as they don't disturb the formatting
+# (i.e. DO NOT ADD A 'v' prefix!)
+GOLANGCI_LINT_VERSION := 1.56.2
+
 ifeq ($(GOBIN),)
 GOBIN := $(GOPATH)/bin
 endif
@@ -38,13 +43,6 @@ endif
 export CONTAINER_RUNTIME ?= $(if $(shell command -v podman ;),podman,docker)
 GOMD2MAN ?= $(if $(shell command -v go-md2man ;),go-md2man,$(GOBIN)/go-md2man)

-# Go module support: set `-mod=vendor` to use the vendored sources.
-# See also hack/make.sh.
-ifeq ($(shell go help mod >/dev/null 2>&1 && echo true), true)
-  GO:=GO111MODULE=on $(GO)
-  MOD_VENDOR=-mod=vendor
-endif
-
 ifeq ($(DEBUG), 1)
  override GOGCFLAGS += -N -l
 endif
@@ -56,17 +54,11 @@ ifeq ($(GOOS), linux)
 endif

 # If $TESTFLAGS is set, it is passed as extra arguments to 'go test'.
-# You can increase test output verbosity with the option '-test.vv'.
-# You can select certain tests to run, with `-test.run <regex>` for example:
+# You can select certain tests to run, with `-run <regex>` for example:
 #
-#     make test-unit TESTFLAGS='-test.run ^TestManifestDigest$'
-#
-# For integration test, we use [gocheck](https://labix.org/gocheck).
-# You can increase test output verbosity with the option '-check.vv'.
-# You can limit test selection with `-check.f <regex>`, for example:
-#
-#     make test-integration TESTFLAGS='-check.f CopySuite.TestCopy.*'
-export TESTFLAGS ?= -v -check.v -test.timeout=15m
+#     make test-unit TESTFLAGS='-run ^TestManifestDigest$'
+#     make test-integration TESTFLAGS='-run copySuite.TestCopy.*'
+export TESTFLAGS ?= -timeout=15m

 # This is assumed to be set non-empty when operating inside a CI/automation environment
 CI ?=
@@ -125,6 +117,7 @@ help:
 	@echo " * 'install' - Install binaries and documents to system locations"
 	@echo " * 'binary' - Build skopeo with a container"
 	@echo " * 'bin/skopeo' - Build skopeo locally"
+	@echo " * 'bin/skopeo.OS.ARCH' - Build skopeo for specific OS and ARCH"
 	@echo " * 'test-unit' - Execute unit tests"
 	@echo " * 'test-integration' - Execute integration tests"
 	@echo " * 'validate' - Verify whether there is no conflict and all Go source files have been formatted, linted and vetted"
@@ -139,9 +132,9 @@ binary: cmd/skopeo
 # Build w/o using containers
 .PHONY: bin/skopeo
 bin/skopeo:
-	$(GO) build $(MOD_VENDOR) ${GO_DYN_FLAGS} ${SKOPEO_LDFLAGS} -gcflags "$(GOGCFLAGS)" -tags "$(BUILDTAGS)" -o $@ ./cmd/skopeo
+	$(GO) build ${GO_DYN_FLAGS} ${SKOPEO_LDFLAGS} -gcflags "$(GOGCFLAGS)" -tags "$(BUILDTAGS)" -o $@ ./cmd/skopeo
 bin/skopeo.%:
-	GOOS=$(word 2,$(subst ., ,$@)) GOARCH=$(word 3,$(subst ., ,$@)) $(GO) build $(MOD_VENDOR) ${SKOPEO_LDFLAGS} -tags "containers_image_openpgp $(BUILDTAGS)" -o $@ ./cmd/skopeo
+	GOOS=$(word 2,$(subst ., ,$@)) GOARCH=$(word 3,$(subst ., ,$@)) $(GO) build ${SKOPEO_LDFLAGS} -tags "containers_image_openpgp $(BUILDTAGS)" -o $@ ./cmd/skopeo
 local-cross: bin/skopeo.darwin.amd64 bin/skopeo.linux.arm bin/skopeo.linux.arm64 bin/skopeo.windows.386.exe bin/skopeo.windows.amd64.exe

 $(MANPAGES): %: %.md
@@ -194,6 +187,11 @@ install-completions: completions
 shell:
 	$(CONTAINER_RUN) bash

+tools:
+	if [ ! -x "$(GOBIN)/golangci-lint" ]; then \
+		curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(GOBIN) v$(GOLANGCI_LINT_VERSION) ; \
+	fi
+
 check: validate test-unit test-integration test-system

 test-integration:
@@ -206,7 +204,8 @@ test-integration:

 # Intended for CI, assumed to be running in quay.io/libpod/skopeo_cidev container.
 test-integration-local: bin/skopeo
-	hack/make.sh test-integration
+	hack/warn-destructive-tests.sh
+	hack/test-integration.sh

 # complicated set of options needed to run podman-in-podman
 test-system:
@@ -222,7 +221,8 @@ test-system:

 # Intended for CI, assumed to already be running in quay.io/libpod/skopeo_cidev container.
 test-system-local: bin/skopeo
-	hack/make.sh test-system
+	hack/warn-destructive-tests.sh
+	hack/test-system.sh

 test-unit:
 	# Just call (make test unit-local) here instead of worrying about environment differences
@@ -236,16 +236,19 @@ test-all-local: validate-local validate-docs test-unit-local

 .PHONY: validate-local
 validate-local:
-	BUILDTAGS="${BUILDTAGS}" hack/make.sh validate-git-marks validate-gofmt validate-lint validate-vet
+	hack/validate-git-marks.sh
+	hack/validate-gofmt.sh
+	GOBIN=$(GOBIN) hack/validate-lint.sh
+	BUILDTAGS="${BUILDTAGS}" hack/validate-vet.sh

 # This invokes bin/skopeo, hence cannot be run as part of validate-local
 .PHONY: validate-docs
-validate-docs:
+validate-docs: bin/skopeo
 	hack/man-page-checker
 	hack/xref-helpmsgs-manpages

-test-unit-local: bin/skopeo
-	$(GO) test $(MOD_VENDOR) -tags "$(BUILDTAGS)" $$($(GO) list $(MOD_VENDOR) -tags "$(BUILDTAGS)" -e ./... | grep -v '^github\.com/containers/skopeo/\(integration\|vendor/.*\)$$')
+test-unit-local:
+	$(GO) test -tags "$(BUILDTAGS)" $$($(GO) list -tags "$(BUILDTAGS)" -e ./... | grep -v '^github\.com/containers/skopeo/\(integration\|vendor/.*\)$$')

 vendor:
 	$(GO) mod tidy
--- a/README.md
+++ b/README.md
@@ -1,8 +1,4 @@
-<!--- skopeo [![Build Status](https://travis-ci.org/containers/skopeo.svg?branch=main)](https://travis-ci.org/containers/skopeo)
-=
--->
-
-<img src="https://cdn.rawgit.com/containers/skopeo/main/docs/skopeo.svg" width="250">
+<img src="https://cdn.rawgit.com/containers/skopeo/main/docs/skopeo.svg" width="250" alt="Skopeo">

 ----

@@ -43,6 +39,12 @@ Skopeo works with API V2 container image registries such as [docker.io](https://
 * oci:path:tag
         An image tag in a directory compliant with "Open Container Image Layout Specification" at path.

+[Obtaining skopeo](./install.md)
+-
+
+For a detailed description how to install or build skopeo, see
+[install.md](./install.md).
+
 ## Inspecting a repository
 `skopeo` is able to _inspect_ a repository on a container registry and fetch images layers.
 The _inspect_ command fetches the repository's manifest and it is able to show you a `docker inspect`-like
@@ -193,12 +195,6 @@ $ skopeo inspect --creds=testuser:testpassword docker://myregistrydomain.com:500
 $ skopeo copy --src-creds=testuser:testpassword docker://myregistrydomain.com:5000/private oci:local_oci_image
 ```

-[Obtaining skopeo](./install.md)
-
-
-For a detailed description how to install or build skopeo, see
-[install.md](./install.md).
-
 Contributing
 -

--- a/cmd/skopeo/generate_sigstore_key_test.go
+++ b/cmd/skopeo/generate_sigstore_key_test.go
@@ -62,7 +62,7 @@ func TestGenerateSigstoreKey(t *testing.T) {
 	// we have to trigger a write failure.

 	// Success
-	// Just a smoke-test, useability of the keys is tested in the generate implementation.
+	// Just a smoke-test, usability of the keys is tested in the generate implementation.
 	dir := t.TempDir()
 	prefix := filepath.Join(dir, "prefix")
 	passphraseFile := filepath.Join(dir, "passphrase")
--- a/cmd/skopeo/inspect.go
+++ b/cmd/skopeo/inspect.go
@@ -6,8 +6,6 @@ import (
 	"fmt"
 	"io"
 	"strings"
-	"text/tabwriter"
-	"text/template"

 	"github.com/containers/common/pkg/report"
 	"github.com/containers/common/pkg/retry"
@@ -53,8 +51,8 @@ See skopeo(1) section "IMAGE NAMES" for the expected format
 `, strings.Join(transports.ListNames(), ", ")),
 		RunE: commandAction(opts.run),
 		Example: `skopeo inspect docker://registry.fedoraproject.org/fedora
-  skopeo inspect --config docker://docker.io/alpine
-  skopeo inspect  --format "Name: {{.Name}} Digest: {{.Digest}}" docker://registry.access.redhat.com/ubi8`,
+skopeo inspect --config docker://docker.io/alpine
+skopeo inspect --format "Name: {{.Name}} Digest: {{.Digest}}" docker://registry.access.redhat.com/ubi8`,
 		ValidArgsFunction: autocompleteSupportedTransports,
 	}
 	adjustUsage(cmd)
@@ -74,7 +72,6 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)
 		rawManifest []byte
 		src         types.ImageSource
 		imgInspect  *types.ImageInspectInfo
-		data        []interface{}
 	)
 	ctx, cancel := opts.global.commandTimeoutContext()
 	defer cancel()
@@ -151,18 +148,7 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)
 		}, opts.retryOpts); err != nil {
 			return fmt.Errorf("Error reading OCI-formatted configuration data: %w", err)
 		}
-		if report.IsJSON(opts.format) || opts.format == "" {
-			var out []byte
-			out, err = json.MarshalIndent(config, "", "    ")
-			if err == nil {
-				fmt.Fprintf(stdout, "%s\n", string(out))
-			}
-		} else {
-			row := "{{range . }}" + report.NormalizeFormat(opts.format) + "{{end}}"
-			data = append(data, config)
-			err = printTmpl(stdout, row, data)
-		}
-		if err != nil {
+		if err := opts.writeOutput(stdout, config); err != nil {
 			return fmt.Errorf("Error writing OCI-formatted configuration data to standard output: %w", err)
 		}
 		return nil
@@ -228,23 +214,23 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)
 			logrus.Warnf("Registry disallows tag list retrieval; skipping")
 		}
 	}
+	return opts.writeOutput(stdout, outputData)
+}
+
+// writeOutput writes data depending on opts.format to stdout
+func (opts *inspectOptions) writeOutput(stdout io.Writer, data any) error {
 	if report.IsJSON(opts.format) || opts.format == "" {
-		out, err := json.MarshalIndent(outputData, "", "    ")
+		out, err := json.MarshalIndent(data, "", "    ")
 		if err == nil {
 			fmt.Fprintf(stdout, "%s\n", string(out))
 		}
 		return err
 	}
-	row := "{{range . }}" + report.NormalizeFormat(opts.format) + "{{end}}"
-	data = append(data, outputData)
-	return printTmpl(stdout, row, data)
-}

-func printTmpl(stdout io.Writer, row string, data []interface{}) error {
-	t, err := template.New("skopeo inspect").Parse(row)
+	rpt, err := report.New(stdout, "skopeo inspect").Parse(report.OriginUser, opts.format)
 	if err != nil {
 		return err
 	}
-	w := tabwriter.NewWriter(stdout, 8, 2, 2, ' ', 0)
-	return t.Execute(w, data)
+	defer rpt.Flush()
+	return rpt.Execute([]any{data})
 }
--- a/cmd/skopeo/list_tags.go
+++ b/cmd/skopeo/list_tags.go
@@ -16,6 +16,7 @@ import (
 	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/containers/image/v5/types"
 	"github.com/spf13/cobra"
+	"golang.org/x/exp/maps"
 )

 // tagListOutput is the output format of (skopeo list-tags), primarily so that we can format it with a simple json.MarshalIndent.
@@ -37,10 +38,7 @@ var transportHandlers = map[string]func(ctx context.Context, sys *types.SystemCo

 // supportedTransports returns all the supported transports
 func supportedTransports(joinStr string) string {
-	res := make([]string, 0, len(transportHandlers))
-	for handlerName := range transportHandlers {
-		res = append(res, handlerName)
-	}
+	res := maps.Keys(transportHandlers)
 	sort.Strings(res)
 	return strings.Join(res, joinStr)
 }
@@ -84,12 +82,12 @@ func parseDockerRepositoryReference(refString string) (types.ImageReference, err
 		return nil, fmt.Errorf("docker: image reference %s does not start with %s://", refString, docker.Transport.Name())
 	}

-	parts := strings.SplitN(refString, ":", 2)
-	if len(parts) != 2 {
+	_, dockerImageName, hasColon := strings.Cut(refString, ":")
+	if !hasColon {
 		return nil, fmt.Errorf(`Invalid image name "%s", expected colon-separated transport:reference`, refString)
 	}

-	ref, err := reference.ParseNormalizedNamed(strings.TrimPrefix(parts[1], "//"))
+	ref, err := reference.ParseNormalizedNamed(strings.TrimPrefix(dockerImageName, "//"))
 	if err != nil {
 		return nil, err
 	}
@@ -130,7 +128,7 @@ func listDockerRepoTags(ctx context.Context, sys *types.SystemContext, opts *tag
 }

 // return the tagLists from a docker archive file
-func listDockerArchiveTags(ctx context.Context, sys *types.SystemContext, opts *tagsOptions, userInput string) (repositoryName string, tagListing []string, err error) {
+func listDockerArchiveTags(_ context.Context, sys *types.SystemContext, _ *tagsOptions, userInput string) (repositoryName string, tagListing []string, err error) {
 	ref, err := alltransports.ParseImageName(userInput)
 	if err != nil {
 		return
--- a/cmd/skopeo/list_tags_test.go
+++ b/cmd/skopeo/list_tags_test.go
@@ -16,7 +16,6 @@ func TestDockerRepositoryReferenceParser(t *testing.T) {
 		{"docker://somehost.com"},          // Valid default expansion
 		{"docker://nginx"},                 // Valid default expansion
 	} {
-
 		ref, err := parseDockerRepositoryReference(test[0])
 		require.NoError(t, err)
 		expected, err := alltransports.ParseImageName(test[0])
@@ -47,7 +46,6 @@ func TestDockerRepositoryReferenceParserDrift(t *testing.T) {
 		{"docker://somehost.com", "docker.io/library/somehost.com"}, // Valid default expansion
 		{"docker://nginx", "docker.io/library/nginx"},               // Valid default expansion
 	} {
-
 		ref, err := parseDockerRepositoryReference(test[0])
 		ref2, err2 := alltransports.ParseImageName(test[0])

--- a/cmd/skopeo/login_test.go
+++ b/cmd/skopeo/login_test.go
@@ -0,0 +1,18 @@
+package main
+
+import (
+	"path/filepath"
+	"testing"
+)
+
+func TestLogin(t *testing.T) {
+	dir := t.TempDir()
+	authFile := filepath.Join(dir, "auth.json")
+	compatAuthFile := filepath.Join(dir, "config.json")
+
+	// Just a trivial smoke-test exercising one error-handling path.
+	// We can’t test full operation without a registry, unit tests should mostly
+	// exist in c/common/pkg/auth, not here.
+	out, err := runSkopeo("login", "--authfile", authFile, "--compat-auth-file", compatAuthFile, "example.com")
+	assertTestFailed(t, out, err, "options for paths to the credential file and to the Docker-compatible credential file can not be set simultaneously")
+}
--- a/cmd/skopeo/logout_test.go
+++ b/cmd/skopeo/logout_test.go
@@ -0,0 +1,25 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestLogout(t *testing.T) {
+	dir := t.TempDir()
+	authFile := filepath.Join(dir, "auth.json")
+	compatAuthFile := filepath.Join(dir, "config.json")
+
+	// Just a trivial smoke-test exercising one error-handling path.
+	// We can’t test full operation without a registry, unit tests should mostly
+	// exist in c/common/pkg/auth, not here.
+	err := os.WriteFile(authFile, []byte("{}"), 0o700)
+	require.NoError(t, err)
+	err = os.WriteFile(compatAuthFile, []byte("{}"), 0o700)
+	require.NoError(t, err)
+	out, err := runSkopeo("logout", "--authfile", authFile, "--compat-auth-file", compatAuthFile, "example.com")
+	assertTestFailed(t, out, err, "options for paths to the credential file and to the Docker-compatible credential file can not be set simultaneously")
+}
--- a/cmd/skopeo/main.go
+++ b/cmd/skopeo/main.go
@@ -55,14 +55,12 @@ func createApp() (*cobra.Command, *globalOptions) {
 	opts := globalOptions{}

 	rootCommand := &cobra.Command{
-		Use:  "skopeo",
-		Long: "Various operations with container images and container image registries",
-		RunE: requireSubcommand,
-		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			return opts.before(cmd)
-		},
-		SilenceUsage:  true,
-		SilenceErrors: true,
+		Use:               "skopeo",
+		Long:              "Various operations with container images and container image registries",
+		RunE:              requireSubcommand,
+		PersistentPreRunE: opts.before,
+		SilenceUsage:      true,
+		SilenceErrors:     true,
 		// Hide the completion command which is provided by cobra
 		CompletionOptions: cobra.CompletionOptions{HiddenDefaultCmd: true},
 		// This is documented to parse "local" (non-PersistentFlags) flags of parent commands before
@@ -115,7 +113,7 @@ func createApp() (*cobra.Command, *globalOptions) {
 }

 // before is run by the cli package for any command, before running the command-specific handler.
-func (opts *globalOptions) before(cmd *cobra.Command) error {
+func (opts *globalOptions) before(cmd *cobra.Command, args []string) error {
 	if opts.debug {
 		logrus.SetLevel(logrus.DebugLevel)
 	}
--- a/cmd/skopeo/proxy.go
+++ b/cmd/skopeo/proxy.go
@@ -95,7 +95,8 @@ import (
 // 0.2.3: Added GetFullConfig
 // 0.2.4: Added OpenImageOptional
 // 0.2.5: Added LayerInfoJSON
-const protocolVersion = "0.2.5"
+// 0.2.6: Policy Verification before pulling OCI
+const protocolVersion = "0.2.6"

 // maxMsgSize is the current limit on a packet size.
 // Note that all non-metadata (i.e. payload data) is sent over a pipe.
@@ -115,7 +116,7 @@ type request struct {
 	// Method is the name of the function
 	Method string `json:"method"`
 	// Args is the arguments (parsed inside the function)
-	Args []interface{} `json:"args"`
+	Args []any `json:"args"`
 }

 // reply is serialized to JSON as the return value from a function call.
@@ -123,7 +124,7 @@ type reply struct {
 	// Success is true if and only if the call succeeded.
 	Success bool `json:"success"`
 	// Value is an arbitrary value (or values, as array/map) returned from the call.
-	Value interface{} `json:"value"`
+	Value any `json:"value"`
 	// PipeID is an index into open pipes, and should be passed to FinishPipe
 	PipeID uint32 `json:"pipeid"`
 	// Error should be non-empty if Success == false
@@ -133,7 +134,7 @@ type reply struct {
 // replyBuf is our internal deserialization of reply plus optional fd
 type replyBuf struct {
 	// value will be converted to a reply Value
-	value interface{}
+	value any
 	// fd is the read half of a pipe, passed back to the client
 	fd *os.File
 	// pipeid will be provided to the client as PipeID, an index into our open pipes
@@ -154,7 +155,7 @@ type activePipe struct {
 // openImage is an opened image reference
 type openImage struct {
 	// id is an opaque integer handle
-	id        uint32
+	id        uint64
 	src       types.ImageSource
 	cachedimg types.Image
 }
@@ -169,9 +170,9 @@ type proxyHandler struct {
 	cache  types.BlobInfoCache

 	// imageSerial is a counter for open images
-	imageSerial uint32
+	imageSerial uint64
 	// images holds our opened images
-	images map[uint32]*openImage
+	images map[uint64]*openImage
 	// activePipes maps from "pipeid" to a pipe + goroutine pair
 	activePipes map[uint32]*activePipe
 }
@@ -185,7 +186,7 @@ type convertedLayerInfo struct {
 }

 // Initialize performs one-time initialization, and returns the protocol version
-func (h *proxyHandler) Initialize(args []interface{}) (replyBuf, error) {
+func (h *proxyHandler) Initialize(args []any) (replyBuf, error) {
 	h.lock.Lock()
 	defer h.lock.Unlock()

@@ -214,7 +215,7 @@ func (h *proxyHandler) Initialize(args []interface{}) (replyBuf, error) {

 // OpenImage accepts a string image reference i.e. TRANSPORT:REF - like `skopeo copy`.
 // The return value is an opaque integer handle.
-func (h *proxyHandler) OpenImage(args []interface{}) (replyBuf, error) {
+func (h *proxyHandler) OpenImage(args []any) (replyBuf, error) {
 	return h.openImageImpl(args, false)
 }

@@ -237,7 +238,7 @@ func isNotFoundImageError(err error) bool {
 		errors.Is(err, ocilayout.ImageNotFoundError{})
 }

-func (h *proxyHandler) openImageImpl(args []interface{}, allowNotFound bool) (replyBuf, error) {
+func (h *proxyHandler) openImageImpl(args []any, allowNotFound bool) (retReplyBuf replyBuf, retErr error) {
 	h.lock.Lock()
 	defer h.lock.Unlock()
 	var ret replyBuf
@@ -266,6 +267,25 @@ func (h *proxyHandler) openImageImpl(args []interface{}, allowNotFound bool) (re
 		return ret, err
 	}

+	policyContext, err := h.opts.global.getPolicyContext()
+	if err != nil {
+		return ret, err
+	}
+	defer func() {
+		if err := policyContext.Destroy(); err != nil {
+			retErr = noteCloseFailure(retErr, "tearing down policy context", err)
+		}
+	}()
+
+	unparsedTopLevel := image.UnparsedInstance(imgsrc, nil)
+	allowed, err := policyContext.IsRunningImageAllowed(context.Background(), unparsedTopLevel)
+	if err != nil {
+		return ret, err
+	}
+	if !allowed {
+		return ret, fmt.Errorf("internal inconsistency: policy verification failed without returning an error")
+	}
+
 	// Note that we never return zero as an imageid; this code doesn't yet
 	// handle overflow though.
 	h.imageSerial++
@@ -282,11 +302,11 @@ func (h *proxyHandler) openImageImpl(args []interface{}, allowNotFound bool) (re
 // OpenImage accepts a string image reference i.e. TRANSPORT:REF - like `skopeo copy`.
 // The return value is an opaque integer handle.  If the image does not exist, zero
 // is returned.
-func (h *proxyHandler) OpenImageOptional(args []interface{}) (replyBuf, error) {
+func (h *proxyHandler) OpenImageOptional(args []any) (replyBuf, error) {
 	return h.openImageImpl(args, true)
 }

-func (h *proxyHandler) CloseImage(args []interface{}) (replyBuf, error) {
+func (h *proxyHandler) CloseImage(args []any) (replyBuf, error) {
 	h.lock.Lock()
 	defer h.lock.Unlock()
 	var ret replyBuf
@@ -307,16 +327,8 @@ func (h *proxyHandler) CloseImage(args []interface{}) (replyBuf, error) {
 	return ret, nil
 }

-func parseImageID(v interface{}) (uint32, error) {
-	imgidf, ok := v.(float64)
-	if !ok {
-		return 0, fmt.Errorf("expecting integer imageid, not %T", v)
-	}
-	return uint32(imgidf), nil
-}
-
 // parseUint64 validates that a number fits inside a JavaScript safe integer
-func parseUint64(v interface{}) (uint64, error) {
+func parseUint64(v any) (uint64, error) {
 	f, ok := v.(float64)
 	if !ok {
 		return 0, fmt.Errorf("expecting numeric, not %T", v)
@@ -327,8 +339,8 @@ func parseUint64(v interface{}) (uint64, error) {
 	return uint64(f), nil
 }

-func (h *proxyHandler) parseImageFromID(v interface{}) (*openImage, error) {
-	imgid, err := parseImageID(v)
+func (h *proxyHandler) parseImageFromID(v any) (*openImage, error) {
+	imgid, err := parseUint64(v)
 	if err != nil {
 		return nil, err
 	}
@@ -357,7 +369,7 @@ func (h *proxyHandler) allocPipe() (*os.File, *activePipe, error) {

 // returnBytes generates a return pipe() from a byte array
 // In the future it might be nicer to return this via memfd_create()
-func (h *proxyHandler) returnBytes(retval interface{}, buf []byte) (replyBuf, error) {
+func (h *proxyHandler) returnBytes(retval any, buf []byte) (replyBuf, error) {
 	var ret replyBuf
 	piper, f, err := h.allocPipe()
 	if err != nil {
@@ -419,7 +431,7 @@ func (h *proxyHandler) cacheTargetManifest(img *openImage) error {

 // GetManifest returns a copy of the manifest, converted to OCI format, along with the original digest.
 // Manifest lists are resolved to the current operating system and architecture.
-func (h *proxyHandler) GetManifest(args []interface{}) (replyBuf, error) {
+func (h *proxyHandler) GetManifest(args []any) (replyBuf, error) {
 	h.lock.Lock()
 	defer h.lock.Unlock()

@@ -490,7 +502,7 @@ func (h *proxyHandler) GetManifest(args []interface{}) (replyBuf, error) {

 // GetFullConfig returns a copy of the image configuration, converted to OCI format.
 // https://github.com/opencontainers/image-spec/blob/main/config.md
-func (h *proxyHandler) GetFullConfig(args []interface{}) (replyBuf, error) {
+func (h *proxyHandler) GetFullConfig(args []any) (replyBuf, error) {
 	h.lock.Lock()
 	defer h.lock.Unlock()

@@ -527,7 +539,7 @@ func (h *proxyHandler) GetFullConfig(args []interface{}) (replyBuf, error) {
 // GetConfig returns a copy of the container runtime configuration, converted to OCI format.
 // Note that due to a historical mistake, this returns not the full image configuration,
 // but just the container runtime configuration.  You should use GetFullConfig instead.
-func (h *proxyHandler) GetConfig(args []interface{}) (replyBuf, error) {
+func (h *proxyHandler) GetConfig(args []any) (replyBuf, error) {
 	h.lock.Lock()
 	defer h.lock.Unlock()

@@ -562,7 +574,7 @@ func (h *proxyHandler) GetConfig(args []interface{}) (replyBuf, error) {
 }

 // GetBlob fetches a blob, performing digest verification.
-func (h *proxyHandler) GetBlob(args []interface{}) (replyBuf, error) {
+func (h *proxyHandler) GetBlob(args []any) (replyBuf, error) {
 	h.lock.Lock()
 	defer h.lock.Unlock()

@@ -632,7 +644,7 @@ func (h *proxyHandler) GetBlob(args []interface{}) (replyBuf, error) {
 // This needs to be called since the data returned by GetManifest() does not allow to correctly
 // calling GetBlob() for the containers-storage: transport (which doesn’t store the original compressed
 // representations referenced in the manifest).
-func (h *proxyHandler) GetLayerInfo(args []interface{}) (replyBuf, error) {
+func (h *proxyHandler) GetLayerInfo(args []any) (replyBuf, error) {
 	h.lock.Lock()
 	defer h.lock.Unlock()

@@ -668,7 +680,7 @@ func (h *proxyHandler) GetLayerInfo(args []interface{}) (replyBuf, error) {
 		layerInfos = img.LayerInfos()
 	}

-	var layers []convertedLayerInfo
+	layers := make([]convertedLayerInfo, 0, len(layerInfos))
 	for _, layer := range layerInfos {
 		layers = append(layers, convertedLayerInfo{layer.Digest, layer.Size, layer.MediaType})
 	}
@@ -678,7 +690,7 @@ func (h *proxyHandler) GetLayerInfo(args []interface{}) (replyBuf, error) {
 }

 // FinishPipe waits for the worker goroutine to finish, and closes the write side of the pipe.
-func (h *proxyHandler) FinishPipe(args []interface{}) (replyBuf, error) {
+func (h *proxyHandler) FinishPipe(args []any) (replyBuf, error) {
 	h.lock.Lock()
 	defer h.lock.Unlock()

@@ -828,7 +840,7 @@ func (h *proxyHandler) processRequest(readBytes []byte) (rb replyBuf, terminate
 func (opts *proxyOptions) run(args []string, stdout io.Writer) error {
 	handler := &proxyHandler{
 		opts:        opts,
-		images:      make(map[uint32]*openImage),
+		images:      make(map[uint64]*openImage),
 		activePipes: make(map[uint32]*activePipe),
 	}
 	defer handler.close()
--- a/cmd/skopeo/signing.go
+++ b/cmd/skopeo/signing.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"strings"

 	"github.com/containers/image/v5/pkg/cli"
 	"github.com/containers/image/v5/signature"
@@ -41,12 +42,12 @@ func (opts *standaloneSignOptions) run(args []string, stdout io.Writer) error {

 	manifest, err := os.ReadFile(manifestPath)
 	if err != nil {
-		return fmt.Errorf("Error reading %s: %v", manifestPath, err)
+		return fmt.Errorf("Error reading %s: %w", manifestPath, err)
 	}

 	mech, err := signature.NewGPGSigningMechanism()
 	if err != nil {
-		return fmt.Errorf("Error initializing GPG: %v", err)
+		return fmt.Errorf("Error initializing GPG: %w", err)
 	}
 	defer mech.Close()

@@ -57,25 +58,31 @@ func (opts *standaloneSignOptions) run(args []string, stdout io.Writer) error {

 	signature, err := signature.SignDockerManifestWithOptions(manifest, dockerReference, mech, fingerprint, &signature.SignOptions{Passphrase: passphrase})
 	if err != nil {
-		return fmt.Errorf("Error creating signature: %v", err)
+		return fmt.Errorf("Error creating signature: %w", err)
 	}

 	if err := os.WriteFile(opts.output, signature, 0644); err != nil {
-		return fmt.Errorf("Error writing signature to %s: %v", opts.output, err)
+		return fmt.Errorf("Error writing signature to %s: %w", opts.output, err)
 	}
 	return nil
 }

 type standaloneVerifyOptions struct {
+	publicKeyFile string
 }

 func standaloneVerifyCmd() *cobra.Command {
 	opts := standaloneVerifyOptions{}
 	cmd := &cobra.Command{
-		Use:   "standalone-verify MANIFEST DOCKER-REFERENCE KEY-FINGERPRINT SIGNATURE",
+		Use:   "standalone-verify MANIFEST DOCKER-REFERENCE KEY-FINGERPRINTS SIGNATURE",
 		Short: "Verify a signature using local files",
-		RunE:  commandAction(opts.run),
+		Long: `Verify a signature using local files
+
+KEY-FINGERPRINTS can be a comma separated list of fingerprints, or "any" if you trust all the keys in the public key file.`,
+		RunE: commandAction(opts.run),
 	}
+	flags := cmd.Flags()
+	flags.StringVar(&opts.publicKeyFile, "public-key-file", "", `File containing public keys. If not specified, will use local GPG keys.`)
 	adjustUsage(cmd)
 	return cmd
 }
@@ -86,29 +93,51 @@ func (opts *standaloneVerifyOptions) run(args []string, stdout io.Writer) error
 	}
 	manifestPath := args[0]
 	expectedDockerReference := args[1]
-	expectedFingerprint := args[2]
+	expectedFingerprints := strings.Split(args[2], ",")
 	signaturePath := args[3]

+	if opts.publicKeyFile == "" && len(expectedFingerprints) == 1 && expectedFingerprints[0] == "any" {
+		return fmt.Errorf("Cannot use any fingerprint without a public key file")
+	}
 	unverifiedManifest, err := os.ReadFile(manifestPath)
 	if err != nil {
-		return fmt.Errorf("Error reading manifest from %s: %v", manifestPath, err)
+		return fmt.Errorf("Error reading manifest from %s: %w", manifestPath, err)
 	}
 	unverifiedSignature, err := os.ReadFile(signaturePath)
 	if err != nil {
-		return fmt.Errorf("Error reading signature from %s: %v", signaturePath, err)
+		return fmt.Errorf("Error reading signature from %s: %w", signaturePath, err)
 	}

-	mech, err := signature.NewGPGSigningMechanism()
-	if err != nil {
-		return fmt.Errorf("Error initializing GPG: %v", err)
+	var mech signature.SigningMechanism
+	var publicKeyfingerprints []string
+	if opts.publicKeyFile != "" {
+		publicKeys, err := os.ReadFile(opts.publicKeyFile)
+		if err != nil {
+			return fmt.Errorf("Error reading public keys from %s: %w", opts.publicKeyFile, err)
+		}
+		mech, publicKeyfingerprints, err = signature.NewEphemeralGPGSigningMechanism(publicKeys)
+		if err != nil {
+			return fmt.Errorf("Error initializing GPG: %w", err)
+
+		}
+	} else {
+		mech, err = signature.NewGPGSigningMechanism()
+		if err != nil {
+			return fmt.Errorf("Error initializing GPG: %w", err)
+		}
 	}
 	defer mech.Close()
-	sig, err := signature.VerifyDockerManifestSignature(unverifiedSignature, unverifiedManifest, expectedDockerReference, mech, expectedFingerprint)
-	if err != nil {
-		return fmt.Errorf("Error verifying signature: %v", err)
+
+	if len(expectedFingerprints) == 1 && expectedFingerprints[0] == "any" {
+		expectedFingerprints = publicKeyfingerprints
 	}

-	fmt.Fprintf(stdout, "Signature verified, digest %s\n", sig.DockerManifestDigest)
+	sig, verificationFingerprint, err := signature.VerifyImageManifestSignatureUsingKeyIdentityList(unverifiedSignature, unverifiedManifest, expectedDockerReference, mech, expectedFingerprints)
+	if err != nil {
+		return fmt.Errorf("Error verifying signature: %w", err)
+	}
+
+	fmt.Fprintf(stdout, "Signature verified using fingerprint %s, digest %s\n", verificationFingerprint, sig.DockerManifestDigest)
 	return nil
 }

@@ -141,7 +170,7 @@ func (opts *untrustedSignatureDumpOptions) run(args []string, stdout io.Writer)

 	untrustedSignature, err := os.ReadFile(untrustedSignaturePath)
 	if err != nil {
-		return fmt.Errorf("Error reading untrusted signature from %s: %v", untrustedSignaturePath, err)
+		return fmt.Errorf("Error reading untrusted signature from %s: %w", untrustedSignaturePath, err)
 	}

 	untrustedInfo, err := signature.GetUntrustedSignatureInformationWithoutVerifying(untrustedSignature)
--- a/cmd/skopeo/signing_test.go
+++ b/cmd/skopeo/signing_test.go
@@ -127,11 +127,36 @@ func TestStandaloneVerify(t *testing.T) {
 		dockerReference, fixturesTestKeyFingerprint, "fixtures/corrupt.signature")
 	assertTestFailed(t, out, err, "Error verifying signature")

+	// Error using any without a public key file
+	out, err = runSkopeo("standalone-verify", manifestPath,
+		dockerReference, "any", signaturePath)
+	assertTestFailed(t, out, err, "Cannot use any fingerprint without a public key file")
+
 	// Success
 	out, err = runSkopeo("standalone-verify", manifestPath,
 		dockerReference, fixturesTestKeyFingerprint, signaturePath)
 	assert.NoError(t, err)
-	assert.Equal(t, "Signature verified, digest "+fixturesTestImageManifestDigest.String()+"\n", out)
+	assert.Equal(t, "Signature verified using fingerprint "+fixturesTestKeyFingerprint+", digest "+fixturesTestImageManifestDigest.String()+"\n", out)
+
+	// Using multiple fingerprints
+	out, err = runSkopeo("standalone-verify", manifestPath,
+		dockerReference, "0123456789ABCDEF0123456789ABCDEF01234567,"+fixturesTestKeyFingerprint+",DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF", signaturePath)
+	assert.NoError(t, err)
+	assert.Equal(t, "Signature verified using fingerprint "+fixturesTestKeyFingerprint+", digest "+fixturesTestImageManifestDigest.String()+"\n", out)
+
+	// Using a public key file
+	t.Setenv("GNUPGHOME", "")
+	out, err = runSkopeo("standalone-verify", "--public-key-file", "fixtures/pubring.gpg", manifestPath,
+		dockerReference, fixturesTestKeyFingerprint, signaturePath)
+	assert.NoError(t, err)
+	assert.Equal(t, "Signature verified using fingerprint "+fixturesTestKeyFingerprint+", digest "+fixturesTestImageManifestDigest.String()+"\n", out)
+
+	// Using a public key file matching any public key
+	t.Setenv("GNUPGHOME", "")
+	out, err = runSkopeo("standalone-verify", "--public-key-file", "fixtures/pubring.gpg", manifestPath,
+		dockerReference, "any", signaturePath)
+	assert.NoError(t, err)
+	assert.Equal(t, "Signature verified using fingerprint "+fixturesTestKeyFingerprint+", digest "+fixturesTestImageManifestDigest.String()+"\n", out)
 }

 func TestUntrustedSignatureDump(t *testing.T) {
--- a/cmd/skopeo/sync.go
+++ b/cmd/skopeo/sync.go
@@ -12,6 +12,7 @@ import (
 	"regexp"
 	"strings"

+	"github.com/Masterminds/semver/v3"
 	commonFlag "github.com/containers/common/pkg/flag"
 	"github.com/containers/common/pkg/retry"
 	"github.com/containers/image/v5/copy"
@@ -26,7 +27,8 @@ import (
 	"github.com/opencontainers/go-digest"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
-	"gopkg.in/yaml.v2"
+	"golang.org/x/exp/slices"
+	"gopkg.in/yaml.v3"
 )

 // syncOptions contains information retrieved from the skopeo sync command line.
@@ -70,6 +72,7 @@ type tlsVerifyConfig struct {
 type registrySyncConfig struct {
 	Images           map[string][]string    // Images map images name to slices with the images' references (tags, digests)
 	ImagesByTagRegex map[string]string      `yaml:"images-by-tag-regex"` // Images map images name to regular expression with the images' tags
+	ImagesBySemver   map[string]string      `yaml:"images-by-semver"`    // ImagesBySemver maps a repository to a semver constraint (e.g. '>=3.14') to match images' tags to
 	Credentials      types.DockerAuthConfig // Username and password used to authenticate with the registry
 	TLSVerify        tlsVerifyConfig        `yaml:"tls-verify"` // TLS verification mode (enabled by default)
 	CertDir          string                 `yaml:"cert-dir"`   // Path to the TLS certificates of the registry
@@ -131,12 +134,12 @@ See skopeo-sync(1) for details.
 }

 // UnmarshalYAML is the implementation of the Unmarshaler interface method
-// method for the tlsVerifyConfig type.
+// for the tlsVerifyConfig type.
 // It unmarshals the 'tls-verify' YAML key so that, when they key is not
 // specified, tls verification is enforced.
-func (tls *tlsVerifyConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
+func (tls *tlsVerifyConfig) UnmarshalYAML(value *yaml.Node) error {
 	var verify bool
-	if err := unmarshal(&verify); err != nil {
+	if err := value.Decode(&verify); err != nil {
 		return err
 	}

@@ -303,6 +306,14 @@ func imagesToCopyFromRegistry(registryName string, cfg registrySyncConfig, sourc
 		serverCtx.DockerAuthConfig = &cfg.Credentials
 	}
 	var repoDescList []repoDescriptor
+
+	if len(cfg.Images) == 0 && len(cfg.ImagesByTagRegex) == 0 && len(cfg.ImagesBySemver) == 0 {
+		logrus.WithFields(logrus.Fields{
+			"registry": registryName,
+		}).Warn("No images specified for registry")
+		return repoDescList, nil
+	}
+
 	for imageName, refs := range cfg.Images {
 		repoLogger := logrus.WithFields(logrus.Fields{
 			"repo":     imageName,
@@ -367,63 +378,146 @@ func imagesToCopyFromRegistry(registryName string, cfg registrySyncConfig, sourc
 			Context:   serverCtx})
 	}

-	for imageName, tagRegex := range cfg.ImagesByTagRegex {
-		repoLogger := logrus.WithFields(logrus.Fields{
-			"repo":     imageName,
-			"registry": registryName,
-		})
-		repoRef, err := parseRepositoryReference(fmt.Sprintf("%s/%s", registryName, imageName))
+	// include repository descriptors for cfg.ImagesByTagRegex
+	{
+		filterCollection, err := tagRegexFilterCollection(cfg.ImagesByTagRegex)
 		if err != nil {
-			repoLogger.Error("Error parsing repository name, skipping")
 			logrus.Error(err)
-			continue
+		} else {
+			additionalRepoDescList := filterSourceReferences(serverCtx, registryName, filterCollection)
+			repoDescList = append(repoDescList, additionalRepoDescList...)
 		}
+	}

-		repoLogger.Info("Processing repo")
-
-		var sourceReferences []types.ImageReference
-
-		tagReg, err := regexp.Compile(tagRegex)
+	// include repository descriptors for cfg.ImagesBySemver
+	{
+		filterCollection, err := semverFilterCollection(cfg.ImagesBySemver)
 		if err != nil {
-			repoLogger.WithFields(logrus.Fields{
-				"regex": tagRegex,
-			}).Error("Error parsing regex, skipping")
 			logrus.Error(err)
-			continue
+		} else {
+			additionalRepoDescList := filterSourceReferences(serverCtx, registryName, filterCollection)
+			repoDescList = append(repoDescList, additionalRepoDescList...)
 		}
-
-		repoLogger.Info("Querying registry for image tags")
-		allSourceReferences, err := imagesToCopyFromRepo(serverCtx, repoRef)
-		if err != nil {
-			repoLogger.Error("Error processing repo, skipping")
-			logrus.Error(err)
-			continue
-		}
-
-		repoLogger.Infof("Start filtering using the regular expression: %v", tagRegex)
-		for _, sReference := range allSourceReferences {
-			tagged, isTagged := sReference.DockerReference().(reference.Tagged)
-			if !isTagged {
-				repoLogger.Errorf("Internal error, reference %s does not have a tag, skipping", sReference.DockerReference())
-				continue
-			}
-			if tagReg.MatchString(tagged.Tag()) {
-				sourceReferences = append(sourceReferences, sReference)
-			}
-		}
-
-		if len(sourceReferences) == 0 {
-			repoLogger.Warnf("No refs to sync found")
-			continue
-		}
-		repoDescList = append(repoDescList, repoDescriptor{
-			ImageRefs: sourceReferences,
-			Context:   serverCtx})
 	}

 	return repoDescList, nil
 }

+// filterFunc is a function used to limit the initial set of image references
+// using tags, patterns, semver, etc.
+type filterFunc func(*logrus.Entry, types.ImageReference) bool
+
+// filterCollection is a map of repository names to filter functions.
+type filterCollection map[string]filterFunc
+
+// filterSourceReferences lists tags for images specified in the collection and
+// filters them using assigned filter functions.
+// It returns a list of repoDescriptors.
+func filterSourceReferences(sys *types.SystemContext, registryName string, collection filterCollection) []repoDescriptor {
+	var repoDescList []repoDescriptor
+	for repoName, filter := range collection {
+		logger := logrus.WithFields(logrus.Fields{
+			"repo":     repoName,
+			"registry": registryName,
+		})
+
+		repoRef, err := parseRepositoryReference(fmt.Sprintf("%s/%s", registryName, repoName))
+		if err != nil {
+			logger.Error("Error parsing repository name, skipping")
+			logrus.Error(err)
+			continue
+		}
+
+		logger.Info("Processing repo")
+
+		var sourceReferences []types.ImageReference
+
+		logger.Info("Querying registry for image tags")
+		sourceReferences, err = imagesToCopyFromRepo(sys, repoRef)
+		if err != nil {
+			logger.Error("Error processing repo, skipping")
+			logrus.Error(err)
+			continue
+		}
+
+		var filteredSourceReferences []types.ImageReference
+		for _, ref := range sourceReferences {
+			if filter(logger, ref) {
+				filteredSourceReferences = append(filteredSourceReferences, ref)
+			}
+		}
+
+		if len(filteredSourceReferences) == 0 {
+			logger.Warnf("No refs to sync found")
+			continue
+		}
+
+		repoDescList = append(repoDescList, repoDescriptor{
+			ImageRefs: filteredSourceReferences,
+			Context:   sys,
+		})
+	}
+	return repoDescList
+}
+
+// tagRegexFilterCollection converts a map of (repository name, tag regex) pairs
+// into a filterCollection, which is a map of (repository name, filter function)
+// pairs.
+func tagRegexFilterCollection(collection map[string]string) (filterCollection, error) {
+	filters := filterCollection{}
+
+	for repoName, tagRegex := range collection {
+		pattern, err := regexp.Compile(tagRegex)
+		if err != nil {
+			return nil, err
+		}
+
+		f := func(logger *logrus.Entry, sourceReference types.ImageReference) bool {
+			tagged, isTagged := sourceReference.DockerReference().(reference.Tagged)
+			if !isTagged {
+				logger.Errorf("Internal error, reference %s does not have a tag, skipping", sourceReference.DockerReference())
+				return false
+			}
+			return pattern.MatchString(tagged.Tag())
+		}
+		filters[repoName] = f
+	}
+
+	return filters, nil
+}
+
+// semverFilterCollection converts a map of (repository name, array of semver constraints) pairs
+// into a filterCollection, which is a map of (repository name, filter function)
+// pairs.
+func semverFilterCollection(collection map[string]string) (filterCollection, error) {
+	filters := filterCollection{}
+
+	for repoName, constraintString := range collection {
+		constraint, err := semver.NewConstraint(constraintString)
+		if err != nil {
+			return nil, err
+		}
+
+		f := func(logger *logrus.Entry, sourceReference types.ImageReference) bool {
+			tagged, isTagged := sourceReference.DockerReference().(reference.Tagged)
+			if !isTagged {
+				logger.Errorf("Internal error, reference %s does not have a tag, skipping", sourceReference.DockerReference())
+				return false
+			}
+			tagVersion, err := semver.NewVersion(tagged.Tag())
+			if err != nil {
+				logger.Tracef("Tag %q cannot be parsed as semver, skipping", tagged.Tag())
+				return false
+			}
+			return constraint.Check(tagVersion)
+		}
+
+		filters[repoName] = f
+	}
+
+	return filters, nil
+}
+
 // imagesToCopy retrieves all the images to copy from a specified sync source
 // and transport.
 // It returns a slice of repository descriptors, where each descriptor is a
@@ -488,13 +582,6 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 			return descriptors, err
 		}
 		for registryName, registryConfig := range cfg {
-			if len(registryConfig.Images) == 0 && len(registryConfig.ImagesByTagRegex) == 0 {
-				logrus.WithFields(logrus.Fields{
-					"registry": registryName,
-				}).Warn("No images specified for registry")
-				continue
-			}
-
 			descs, err := imagesToCopyFromRegistry(registryName, registryConfig, *sourceCtx)
 			if err != nil {
 				return descriptors, fmt.Errorf("Failed to retrieve list of images from registry %q: %w", registryName, err)
@@ -523,26 +610,17 @@ func (opts *syncOptions) run(args []string, stdout io.Writer) (retErr error) {
 	}()

 	// validate source and destination options
-	contains := func(val string, list []string) (_ bool) {
-		for _, l := range list {
-			if l == val {
-				return true
-			}
-		}
-		return
-	}
-
 	if len(opts.source) == 0 {
 		return errors.New("A source transport must be specified")
 	}
-	if !contains(opts.source, []string{docker.Transport.Name(), directory.Transport.Name(), "yaml"}) {
+	if !slices.Contains([]string{docker.Transport.Name(), directory.Transport.Name(), "yaml"}, opts.source) {
 		return fmt.Errorf("%q is not a valid source transport", opts.source)
 	}

 	if len(opts.destination) == 0 {
 		return errors.New("A destination transport must be specified")
 	}
-	if !contains(opts.destination, []string{docker.Transport.Name(), directory.Transport.Name()}) {
+	if !slices.Contains([]string{docker.Transport.Name(), directory.Transport.Name()}, opts.destination) {
 		return fmt.Errorf("%q is not a valid destination transport", opts.destination)
 	}

--- a/cmd/skopeo/sync_test.go
+++ b/cmd/skopeo/sync_test.go
@@ -0,0 +1,46 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/containers/image/v5/types"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gopkg.in/yaml.v3"
+)
+
+var _ yaml.Unmarshaler = (*tlsVerifyConfig)(nil)
+
+func TestTLSVerifyConfig(t *testing.T) {
+	type container struct { // An example of a larger config file
+		TLSVerify tlsVerifyConfig `yaml:"tls-verify"`
+	}
+
+	for _, c := range []struct {
+		input    string
+		expected tlsVerifyConfig
+	}{
+		{
+			input:    `tls-verify: true`,
+			expected: tlsVerifyConfig{skip: types.OptionalBoolFalse},
+		},
+		{
+			input:    `tls-verify: false`,
+			expected: tlsVerifyConfig{skip: types.OptionalBoolTrue},
+		},
+		{
+			input:    ``, // No value
+			expected: tlsVerifyConfig{skip: types.OptionalBoolUndefined},
+		},
+	} {
+		config := container{}
+		err := yaml.Unmarshal([]byte(c.input), &config)
+		require.NoError(t, err, c.input)
+		assert.Equal(t, c.expected, config.TLSVerify, c.input)
+	}
+
+	// Invalid input
+	config := container{}
+	err := yaml.Unmarshal([]byte(`tls-verify: "not a valid bool"`), &config)
+	assert.Error(t, err)
+}
--- a/cmd/skopeo/unshare.go
+++ b/cmd/skopeo/unshare.go
@@ -3,6 +3,6 @@

 package main

-func reexecIfNecessaryForImages(inputImageNames ...string) error {
+func reexecIfNecessaryForImages(_ ...string) error {
 	return nil
 }
--- a/cmd/skopeo/unshare_linux.go
+++ b/cmd/skopeo/unshare_linux.go
@@ -6,6 +6,7 @@ import (
 	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/containers/storage/pkg/unshare"
 	"github.com/syndtr/gocapability/capability"
+	"golang.org/x/exp/slices"
 )

 var neededCapabilities = []capability.Cap{
@@ -21,29 +22,32 @@ func maybeReexec() error {
 	// With Skopeo we need only the subset of the root capabilities necessary
 	// for pulling an image to the storage.  Do not attempt to create a namespace
 	// if we already have the capabilities we need.
-	capabilities, err := capability.NewPid(0)
+	capabilities, err := capability.NewPid2(0)
 	if err != nil {
 		return fmt.Errorf("error reading the current capabilities sets: %w", err)
 	}
-	for _, cap := range neededCapabilities {
-		if !capabilities.Get(capability.EFFECTIVE, cap) {
-			// We miss a capability we need, create a user namespaces
-			unshare.MaybeReexecUsingUserNamespace(true)
-			return nil
-		}
+	if err := capabilities.Load(); err != nil {
+		return fmt.Errorf("error loading the current capabilities sets: %w", err)
+	}
+	if slices.ContainsFunc(neededCapabilities, func(cap capability.Cap) bool {
+		return !capabilities.Get(capability.EFFECTIVE, cap)
+	}) {
+		// We miss a capability we need, create a user namespaces
+		unshare.MaybeReexecUsingUserNamespace(true)
+		return nil
 	}
 	return nil
 }

 func reexecIfNecessaryForImages(imageNames ...string) error {
 	// Check if container-storage is used before doing unshare
-	for _, imageName := range imageNames {
+	if slices.ContainsFunc(imageNames, func(imageName string) bool {
 		transport := alltransports.TransportFromImageName(imageName)
 		// Hard-code the storage name to avoid a reference on c/image/storage.
 		// See https://github.com/containers/skopeo/issues/771#issuecomment-563125006.
-		if transport != nil && transport.Name() == "containers-storage" {
-			return maybeReexec()
-		}
+		return transport != nil && transport.Name() == "containers-storage"
+	}) {
+		return maybeReexec()
 	}
 	return nil
 }
--- a/cmd/skopeo/utils.go
+++ b/cmd/skopeo/utils.go
@@ -44,7 +44,7 @@ func noteCloseFailure(err error, description string, closeErr error) error {
 	if err == nil {
 		return fmt.Errorf("%s: %w", description, closeErr)
 	}
-	// In this case we prioritize the primary error for use with %w; closeErr is usually less relevant, or might be a consequence of the primary erorr.
+	// In this case we prioritize the primary error for use with %w; closeErr is usually less relevant, or might be a consequence of the primary error.
 	return fmt.Errorf("%w (%s: %v)", err, description, closeErr)
 }

@@ -315,14 +315,11 @@ func parseCreds(creds string) (string, string, error) {
 	if creds == "" {
 		return "", "", errors.New("credentials can't be empty")
 	}
-	up := strings.SplitN(creds, ":", 2)
-	if len(up) == 1 {
-		return up[0], "", nil
-	}
-	if up[0] == "" {
+	username, password, _ := strings.Cut(creds, ":") // Sets password to "" if there is no ":"
+	if username == "" {
 		return "", "", errors.New("username can't be empty")
 	}
-	return up[0], up[1], nil
+	return username, password, nil
 }

 func getDockerAuth(creds string) (*types.DockerAuthConfig, error) {
--- a/cmd/skopeo/utils_test.go
+++ b/cmd/skopeo/utils_test.go
@@ -385,7 +385,6 @@ func TestParseManifestFormat(t *testing.T) {
 // since there is a shared authfile image option and a non-shared (prefixed) one, make sure the override logic
 // works correctly.
 func TestImageOptionsAuthfileOverride(t *testing.T) {
-
 	for _, testCase := range []struct {
 		flagPrefix           string
 		cmdFlags             []string
--- a/contrib/skopeoimage/README.md
+++ b/contrib/skopeoimage/README.md
@@ -1,70 +1,2 @@
-[comment]: <> (***ATTENTION*** ***WARNING*** ***ALERT*** ***CAUTION*** ***DANGER***)
-[comment]: <> ()
-[comment]: <> (ANY changes made to this file, once commited/merged must)
-[comment]: <> (be manually copy/pasted -in markdown- into the description)
-[comment]: <> (field on Quay at the following locations:)
-[comment]: <> ()
-[comment]: <> (https://quay.io/repository/containers/skopeo)
-[comment]: <> (https://quay.io/repository/skopeo/stable)
-[comment]: <> (https://quay.io/repository/skopeo/testing)
-[comment]: <> (https://quay.io/repository/skopeo/upstream)
-[comment]: <> ()
-[comment]: <> (***ATTENTION*** ***WARNING*** ***ALERT*** ***CAUTION*** ***DANGER***)
-
-<img src="https://cdn.rawgit.com/containers/skopeo/main/docs/skopeo.svg" width="250">
-
----
-
-# skopeoimage
-
-## Overview
-
-This directory contains the Containerfiles necessary to create the skopeoimage container
-images that are housed on quay.io under the skopeo account.  All repositories where
-the images live are public and can be pulled without credentials.  These container images are secured and the
-resulting containers can run safely with privileges within the container.
-
-The container images are built using the latest Fedora and then Skopeo is installed into them.
-The PATH in the container images is set to the default PATH provided by Fedora.  Also, the
-ENTRYPOINT and the WORKDIR variables are not set within these container images, as such they
-default to `/`.
-
-The container images are:
-
-  * `quay.io/containers/skopeo:v<version>` and `quay.io/skopeo/stable:v<version>` -
-    These images are built daily.  These images are intended contain an unchanging
-    and stable version of skopeo.  For the most recent `<version>` tags (`vX`,
-    `vX.Y`, and `vX.Y.Z`) the image contents will be updated daily to incorporate
-    (especially) security updates.  For build details, please[see the configuration
-    file](stable/Containerfile).
-  * `quay.io/containers/skopeo:latest` and `quay.io/skopeo/stable:latest` -
-    Built daily using the same Containerfile as above.  The skopeo version
-    will remain the "latest" available in Fedora, however the other image
-    contents may vary compared to the version-tagged images.
-  * `quay.io/skopeo/testing:latest` - This image is built daily, using the
-    latest version of Skopeo that was in the Fedora `updates-testing` repository.
-    The image is Built with [the testing Containerfile](testing/Containerfile).
-  * `quay.io/skopeo/upstream:latest` - This image is built daily using the latest
-    code found in this GitHub repository.  Due to the image changing frequently,
-    it's not guaranteed to be stable or even executable.  The image is built with
-    [the upstream Containerfile](upstream/Containerfile).
-
-
-## Sample Usage
-
-Although not required, it is suggested that [Podman](https://github.com/containers/podman) be used with these container images.
-
-```
-# Get Help on Skopeo
-podman run docker://quay.io/skopeo/stable:latest --help
-
-# Get help on the Skopeo Copy command
-podman run docker://quay.io/skopeo/stable:latest copy --help
-
-# Copy the Skopeo container image from quay.io to
-# a private registry
-podman run docker://quay.io/skopeo/stable:latest copy docker://quay.io/skopeo/stable docker://registry.internal.company.com/skopeo
-
-# Inspect the fedora:latest image
-podman run docker://quay.io/skopeo/stable:latest inspect --config docker://registry.fedoraproject.org/fedora:latest  | jq
-```
+The skopeo container image build context and automation have been
+moved to [https://github.com/containers/image_build/tree/main/skopeo](https://github.com/containers/image_build/tree/main/skopeo)
--- a/contrib/skopeoimage/stable/Containerfile
+++ b/contrib/skopeoimage/stable/Containerfile
@@ -1,47 +0,0 @@
-# stable/Containerfile
-#
-# Build a Skopeo container image from the latest
-# stable version of Skopeo on the Fedoras Updates System.
-# https://bodhi.fedoraproject.org/updates/?search=skopeo
-# This image can be used to create a secured container
-# that runs safely with privileges within the container.
-#
-FROM registry.fedoraproject.org/fedora:latest
-
-# Don't include container-selinux and remove
-# directories used by dnf that are just taking
-# up space.
-# TODO: rpm --setcaps... needed due to Fedora (base) image builds
-#       being (maybe still?) affected by
-#       https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
-RUN dnf -y update && \
-    rpm --setcaps shadow-utils 2>/dev/null && \
-    dnf -y install skopeo fuse-overlayfs \
-        --exclude container-selinux && \
-    dnf clean all && \
-    rm -rf /var/cache /var/log/dnf* /var/log/yum.*
-
-RUN useradd skopeo && \
-    echo skopeo:100000:65536 > /etc/subuid && \
-    echo skopeo:100000:65536 > /etc/subgid
-
-# Copy & modify the defaults to provide reference if runtime changes needed.
-# Changes here are required for running with fuse-overlay storage inside container.
-RUN sed -e 's|^#mount_program|mount_program|g' \
-        -e '/additionalimage.*/a "/var/lib/shared",' \
-        -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
-        /usr/share/containers/storage.conf \
-        > /etc/containers/storage.conf
-
-# Setup the ability to use additional stores
-# with this container image.
-RUN mkdir -p /var/lib/shared/overlay-images \
-             /var/lib/shared/overlay-layers && \
-    touch /var/lib/shared/overlay-images/images.lock && \
-    touch /var/lib/shared/overlay-layers/layers.lock
-
-# Point to the Authorization file
-ENV REGISTRY_AUTH_FILE=/tmp/auth.json
-
-# Set the entrypoint
-ENTRYPOINT ["/usr/bin/skopeo"]
--- a/contrib/skopeoimage/testing/Containerfile
+++ b/contrib/skopeoimage/testing/Containerfile
@@ -1,49 +0,0 @@
-# testing/Containerfile
-#
-# Build a Skopeo container image from the latest
-# version of Skopeo that is in updates-testing
-# on the Fedoras Updates System.
-# https://bodhi.fedoraproject.org/updates/?search=skopeo
-# This image can be used to create a secured container
-# that runs safely with privileges within the container.
-#
-FROM registry.fedoraproject.org/fedora:latest
-
-# Don't include container-selinux and remove
-# directories used by dnf that are just taking
-# up space.
-# TODO: rpm --setcaps... needed due to Fedora (base) image builds
-#       being (maybe still?) affected by
-#       https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
-RUN dnf -y update && \
-    rpm --setcaps shadow-utils 2>/dev/null && \
-    dnf -y install skopeo fuse-overlayfs \
-        --exclude container-selinux \
-        --enablerepo updates-testing && \
-    dnf clean all && \
-    rm -rf /var/cache /var/log/dnf* /var/log/yum.*
-
-RUN useradd skopeo && \
-    echo skopeo:100000:65536 > /etc/subuid && \
-    echo skopeo:100000:65536 > /etc/subgid
-
-# Copy & modify the defaults to provide reference if runtime changes needed.
-# Changes here are required for running with fuse-overlay storage inside container.
-RUN sed -e 's|^#mount_program|mount_program|g' \
-        -e '/additionalimage.*/a "/var/lib/shared",' \
-        -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
-        /usr/share/containers/storage.conf \
-        > /etc/containers/storage.conf
-
-# Setup the ability to use additional stores
-# with this container image.
-RUN mkdir -p /var/lib/shared/overlay-images \
-             /var/lib/shared/overlay-layers && \
-    touch /var/lib/shared/overlay-images/images.lock && \
-    touch /var/lib/shared/overlay-layers/layers.lock
-
-# Point to the Authorization file
-ENV REGISTRY_AUTH_FILE=/tmp/auth.json
-
-# Set the entrypoint
-ENTRYPOINT ["/usr/bin/skopeo"]
--- a/contrib/skopeoimage/upstream/Containerfile
+++ b/contrib/skopeoimage/upstream/Containerfile
@@ -1,50 +0,0 @@
-# upstream/Containerfile
-#
-# Build a Skopeo container image from the latest
-# upstream version of Skopeo on GitHub.
-# https://github.com/containers/skopeo
-# This image can be used to create a secured container
-# that runs safely with privileges within the container.
-#
-FROM registry.fedoraproject.org/fedora:latest
-
-# Don't include container-selinux and remove
-# directories used by dnf that are just taking
-# up space.
-# TODO: rpm --setcaps... needed due to Fedora (base) image builds
-#       being (maybe still?) affected by
-#       https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
-RUN dnf -y update && \
-    rpm --setcaps shadow-utils 2>/dev/null && \
-    dnf -y install 'dnf-command(copr)' --enablerepo=updates-testing && \
-    dnf -y copr enable rhcontainerbot/podman-next && \
-    dnf -y install skopeo \
-        --exclude container-selinux \
-        --enablerepo=updates-testing && \
-    dnf clean all && \
-    rm -rf /var/cache /var/log/dnf* /var/log/yum.*
-
-RUN useradd skopeo && \
-    echo skopeo:100000:65536 > /etc/subuid && \
-    echo skopeo:100000:65536 > /etc/subgid
-
-# Copy & modify the defaults to provide reference if runtime changes needed.
-# Changes here are required for running with fuse-overlay storage inside container.
-RUN sed -e 's|^#mount_program|mount_program|g' \
-        -e '/additionalimage.*/a "/var/lib/shared",' \
-        -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
-        /usr/share/containers/storage.conf \
-        > /etc/containers/storage.conf
-
-# Setup the ability to use additional stores
-# with this container image.
-RUN mkdir -p /var/lib/shared/overlay-images \
-             /var/lib/shared/overlay-layers && \
-    touch /var/lib/shared/overlay-images/images.lock && \
-    touch /var/lib/shared/overlay-layers/layers.lock
-
-# Point to the Authorization file
-ENV REGISTRY_AUTH_FILE=/tmp/auth.json
-
-# Set the entrypoint
-ENTRYPOINT ["/usr/bin/skopeo"]
--- a/docs/skopeo-copy.1.md
+++ b/docs/skopeo-copy.1.md
@@ -20,6 +20,8 @@ automatically inherit any parts of the source name.

 ## OPTIONS

+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
 **--additional-tag**=_strings_

 Additional tags (supports docker-archive).
@@ -56,7 +58,9 @@ After copying the image, write the digest of the resulting image to the file.

 **--preserve-digests**

-Preserve the digests during copying. Fail if the digest cannot be preserved. Consider using `--all` at the same time.
+Preserve the digests during copying. Fail if the digest cannot be preserved.
+
+This option does not change what will be copied; consider using `--all` at the same time.

 **--encrypt-layer** _ints_

@@ -178,7 +182,7 @@ Existing signatures, if any, are preserved as well.

 **--dest-compress-format** _format_

-Specifies the compression format to use.  Supported values are: `gzip` and `zstd`.
+Specifies the compression format to use.  Supported values are: `gzip`, `zstd` and `zstd:chunked`.

 **--dest-compress-level** _format_

--- a/docs/skopeo-delete.1.md
+++ b/docs/skopeo-delete.1.md
@@ -31,6 +31,8 @@ $ docker exec -it registry /usr/bin/registry garbage-collect /etc/docker-distrib

 ## OPTIONS

+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
 **--authfile** _path_

 Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`.
--- a/docs/skopeo-generate-sigstore-key.1.md
+++ b/docs/skopeo-generate-sigstore-key.1.md
@@ -17,6 +17,8 @@ The private key is written to _prefix_**.pub** .

 ## OPTIONS

+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
 **--help**, **-h**

 Print usage statement
--- a/docs/skopeo-inspect.1.md
+++ b/docs/skopeo-inspect.1.md
@@ -17,6 +17,8 @@ To see values for a different architecture/OS, use the **--override-os** / **--o

 ## OPTIONS

+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
 **--authfile** _path_

 Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`.
@@ -42,6 +44,7 @@ Use docker daemon host at _host_ (`docker-daemon:` transport only)

 Format the output using the given Go template.
 The keys of the returned JSON can be used as the values for the --format flag (see examples below).
+Supports the Go templating functions available at https://pkg.go.dev/github.com/containers/common/pkg/report#hdr-Template_Functions

 **--help**, **-h**

--- a/docs/skopeo-list-tags.1.md
+++ b/docs/skopeo-list-tags.1.md
@@ -12,6 +12,8 @@ Return a list of tags from _source-image_ in a registry or a local docker-archiv

 ## OPTIONS

+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
 **--authfile** _path_

 Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`.
--- a/docs/skopeo-login.1.md
+++ b/docs/skopeo-login.1.md
@@ -15,6 +15,8 @@ flag. The default path used is **${XDG\_RUNTIME\_DIR}/containers/auth.json**.

 ## OPTIONS

+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
 **--password**, **-p**=*password*

 Password for registry
@@ -34,6 +36,10 @@ Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth
 Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
 environment variable. `export REGISTRY_AUTH_FILE=path`

+**--compat-auth-file**=*path*
+
+Instead of updating the default credentials file, update the one at *path*, and use a Docker-compatible format.
+
 **--get-login**

 Return the logged-in user for the registry. Return error if no login is found.
--- a/docs/skopeo-logout.1.md
+++ b/docs/skopeo-logout.1.md
@@ -14,6 +14,8 @@ All the cached credentials can be removed by setting the **all** flag.

 ## OPTIONS

+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
 **--authfile**=*path*

 Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json
@@ -21,6 +23,10 @@ Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth
 Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
 environment variable. `export REGISTRY_AUTH_FILE=path`

+**--compat-auth-file**=*path*
+
+Instead of updating the default credentials file, update the one at *path*, and use a Docker-compatible format.
+
 **--all**, **-a**

 Remove the cached credentials for all registries in the auth file
--- a/docs/skopeo-standalone-sign.1.md
+++ b/docs/skopeo-standalone-sign.1.md
@@ -17,6 +17,8 @@ This is primarily a debugging tool, useful for special cases, and usually should

 ## OPTIONS

+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
 **--help**, **-h**

 Print usage statement
--- a/docs/skopeo-standalone-verify.1.md
+++ b/docs/skopeo-standalone-verify.1.md
@@ -4,7 +4,7 @@
 skopeo\-standalone\-verify - Verify an image signature.

 ## SYNOPSIS
-**skopeo standalone-verify** _manifest_ _docker-reference_ _key-fingerprint_ _signature_
+**skopeo standalone-verify** _manifest_ _docker-reference_ _key-fingerprints_ _signature_

 ## DESCRIPTION

@@ -16,7 +16,7 @@ as per containers-policy.json(5).

  _docker-reference_ A docker reference expected to identify the image in the signature

-  _key-fingerprint_ Expected identity of the signing key
+  _key-fingerprints_ Identities of trusted signing keys (comma separated), or "any" to trust any known key when using a public key file

  _signature_ Path to signature file

@@ -24,10 +24,16 @@ as per containers-policy.json(5).

 ## OPTIONS

+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
 **--help**, **-h**

 Print usage statement

+**--public-key-file** _public key file_
+
+File containing the public keys to use when verifying signatures. If this is not specified, keys from the GPG homedir are used.
+
 ## EXAMPLES

 ```console
--- a/docs/skopeo-sync.1.md
+++ b/docs/skopeo-sync.1.md
@@ -8,10 +8,7 @@ skopeo\-sync - Synchronize images between registry repositories and local direct
 **skopeo sync** [*options*] --src _transport_ --dest _transport_ _source_ _destination_

 ## DESCRIPTION
-Synchronize images between registry repoositories and local directories.
-The synchronization is achieved by copying all the images found at _source_ to _destination_.
-
-Useful to synchronize a local container registry mirror, and to to populate registries running inside of air-gapped environments.
+Synchronize images between registry repositories and local directories. Synchronization is achieved by copying all the images found at _source_ to _destination_ - useful when synchronizing a local container registry mirror or for populating registries running inside of air-gapped environments.

 Differently from other skopeo commands, skopeo sync requires both source and destination transports to be specified separately from _source_ and _destination_.
 One of the problems of prefixing a destination with its transport is that, the registry `docker://hostname:port` would be wrongly interpreted as an image reference at a non-fully qualified registry, with `hostname` and `port` the image name and tag.
@@ -32,6 +29,9 @@ When the `--scoped` option is specified, images are prefixed with the source ima
 name can be stored at _destination_.

 ## OPTIONS
+
+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
 **--all**, **-a**
 If one of the images in __src__ refers to a list of images, instead of copying just the image which matches the current OS and
 architecture (subject to the use of the global --override-os, --override-arch and --override-variant options), attempt to copy all of
@@ -68,7 +68,11 @@ Print usage statement.

 **--append-suffix** _tag-suffix_ String to append to destination tags.

-**--preserve-digests** Preserve the digests during copying. Fail if the digest cannot be preserved. Consider using `--all` at the same time.
+**--preserve-digests**
+
+Preserve the digests during copying. Fail if the digest cannot be preserved.
+
+This option does not change what will be copied; consider using `--all` at the same time.

 **--remove-signatures** Do not copy signatures, if any, from _source-image_. This is necessary when copying a signed image to a destination which does not support signatures.

@@ -215,6 +219,8 @@ registry.example.com:
            - "sha256:0000000000000000000000000000000011111111111111111111111111111111"
    images-by-tag-regex:
        nginx: ^1\.13\.[12]-alpine-perl$
+    images-by-semver:
+        alpine: ">= 3.12.0"
    credentials:
        username: john
        password: this is a secret
@@ -235,6 +241,14 @@ This will copy the following images:
 - Repository `registry.example.com/redis`: images tagged "1.0" and "2.0" along with image with digest "sha256:0000000000000000000000000000000011111111111111111111111111111111".
 - Repository `registry.example.com/nginx`: images tagged "1.13.1-alpine-perl" and "1.13.2-alpine-perl".
 - Repository `quay.io/coreos/etcd`: images tagged "latest".
+- Repository `registry.example.com/alpine`: all images with tags match the semantic version constraint ">= 3.12.0" ("3.12.0, "3.12.1", ... ,"4.0.0", ...)
+
+The full list of possible semantic version comparisons can be found in the
+upstream library's documentation:
+https://github.com/Masterminds/semver/tree/v3.2.0#basic-comparisons.
+
+Version ordering and precedence is understood as defined here:
+https://semver.org/#spec-item-11.

 For the registry `registry.example.com`, the "john"/"this is a secret" credentials are used, with server TLS certificates located at `/home/john/certs`.

--- a/docs/skopeo.1.md
+++ b/docs/skopeo.1.md
@@ -51,6 +51,9 @@ See [containers-transports(5)](https://github.com/containers/image/blob/main/doc

 ## OPTIONS

+These options should be placed before the subcommand name.
+Individual subcommands have their own options.
+
 **--command-timeout** _duration_

 Timeout for the command execution.
@@ -118,7 +121,7 @@ Print the version number

  **/etc/containers/registries.d**
  Default directory containing registry configuration, if **--registries.d** is not specified.
-  The contents of this directory are documented in [containers-policy.json(5)](https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md).
+  The contents of this directory are documented in [containers-registries.d(5)](https://github.com/containers/image/blob/main/docs/containers-registries.d.5.md).

 ## SEE ALSO
 skopeo-login(1), docker-login(1), containers-auth.json(5), containers-storage.conf(5), containers-policy.json(5), containers-transports(5)
--- a/go.mod
+++ b/go.mod
@@ -1,136 +1,140 @@
 module github.com/containers/skopeo

-go 1.17
+go 1.19

 require (
-	github.com/containers/common v0.51.0
-	github.com/containers/image/v5 v5.24.0
-	github.com/containers/ocicrypt v1.1.7
-	github.com/containers/storage v1.45.3
-	github.com/docker/distribution v2.8.1+incompatible
+	github.com/Masterminds/semver/v3 v3.2.1
+	github.com/containers/common v0.58.4
+	github.com/containers/image/v5 v5.30.2
+	github.com/containers/ocicrypt v1.1.10
+	github.com/containers/storage v1.53.0
+	github.com/docker/distribution v2.8.3+incompatible
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.1.0-rc2
+	github.com/opencontainers/image-spec v1.1.0
 	github.com/opencontainers/image-tools v1.0.0-rc3
-	github.com/sirupsen/logrus v1.9.0
-	github.com/spf13/cobra v1.6.1
+	github.com/sirupsen/logrus v1.9.3
+	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.8.1
+	github.com/stretchr/testify v1.9.0
 	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
-	golang.org/x/term v0.4.0
-	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
-	gopkg.in/yaml.v2 v2.4.0
+	golang.org/x/exp v0.0.0-20240222234643-814bf88cf225
+	golang.org/x/term v0.18.0
+	gopkg.in/yaml.v3 v3.0.1
 )

 require (
-	github.com/BurntSushi/toml v1.2.1 // indirect
-	github.com/Microsoft/go-winio v0.6.0 // indirect
-	github.com/Microsoft/hcsshim v0.9.6 // indirect
+	dario.cat/mergo v1.0.0 // indirect
+	github.com/BurntSushi/toml v1.3.2 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/Microsoft/hcsshim v0.12.0-rc.3 // indirect
 	github.com/VividCortex/ewma v1.2.0 // indirect
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
-	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
-	github.com/containerd/cgroups v1.0.4 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.13.0 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
+	github.com/containerd/cgroups/v3 v3.0.2 // indirect
+	github.com/containerd/errdefs v0.1.0 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
 	github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect
-	github.com/coreos/go-oidc/v3 v3.5.0 // indirect
-	github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
+	github.com/coreos/go-oidc/v3 v3.9.0 // indirect
+	github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/docker v20.10.23+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.7.0 // indirect
-	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/distribution/reference v0.5.0 // indirect
+	github.com/docker/docker v25.0.3+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.8.1 // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
-	github.com/ghodss/yaml v1.0.0 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
+	github.com/go-logr/logr v1.3.0 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.21.4 // indirect
-	github.com/go-openapi/errors v0.20.3 // indirect
-	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.20.0 // indirect
+	github.com/go-openapi/errors v0.21.1 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/loads v0.21.2 // indirect
-	github.com/go-openapi/runtime v0.24.1 // indirect
-	github.com/go-openapi/spec v0.20.7 // indirect
-	github.com/go-openapi/strfmt v0.21.3 // indirect
-	github.com/go-openapi/swag v0.22.3 // indirect
-	github.com/go-openapi/validate v0.22.0 // indirect
-	github.com/go-playground/locales v0.14.0 // indirect
-	github.com/go-playground/universal-translator v0.18.0 // indirect
-	github.com/go-playground/validator/v10 v10.11.1 // indirect
+	github.com/go-openapi/runtime v0.26.0 // indirect
+	github.com/go-openapi/spec v0.20.9 // indirect
+	github.com/go-openapi/strfmt v0.22.2 // indirect
+	github.com/go-openapi/swag v0.22.10 // indirect
+	github.com/go-openapi/validate v0.22.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/google/go-containerregistry v0.12.1 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/go-containerregistry v0.19.0 // indirect
 	github.com/google/go-intervals v0.0.2 // indirect
-	github.com/google/trillian v1.5.0 // indirect
-	github.com/google/uuid v1.3.0 // indirect
-	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.2 // indirect
-	github.com/imdario/mergo v0.3.13 // indirect
-	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.15.15 // indirect
-	github.com/klauspost/pgzip v1.2.6-0.20220930104621-17e8dac29df8 // indirect
-	github.com/kr/pretty v0.3.0 // indirect
-	github.com/kr/text v0.2.0 // indirect
-	github.com/leodido/go-urn v1.2.1 // indirect
-	github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf // indirect
+	github.com/klauspost/compress v1.17.7 // indirect
+	github.com/klauspost/pgzip v1.2.6 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
+	github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/mattn/go-runewidth v0.0.14 // indirect
+	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/mattn/go-shellwords v1.0.12 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/mattn/go-sqlite3 v1.14.22 // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
-	github.com/mistifyio/go-zfs/v3 v3.0.0 // indirect
+	github.com/mistifyio/go-zfs/v3 v3.0.1 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/moby/sys/mountinfo v0.6.2 // indirect
+	github.com/moby/sys/mountinfo v0.7.1 // indirect
+	github.com/moby/sys/user v0.1.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
-	github.com/opencontainers/runc v1.1.4 // indirect
-	github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb // indirect
-	github.com/opencontainers/selinux v1.10.2 // indirect
+	github.com/opencontainers/runtime-spec v1.2.0 // indirect
+	github.com/opencontainers/selinux v1.11.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/ostreedev/ostree-go v0.0.0-20210805093236-719684c64e4f // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/proglottis/gpgme v0.1.3 // indirect
-	github.com/rivo/uniseg v0.4.3 // indirect
-	github.com/rogpeppe/go-internal v1.8.0 // indirect
+	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/russross/blackfriday v2.0.0+incompatible // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect
-	github.com/sigstore/fulcio v1.0.0 // indirect
-	github.com/sigstore/rekor v1.0.1 // indirect
-	github.com/sigstore/sigstore v1.5.1 // indirect
+	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
+	github.com/sigstore/fulcio v1.4.3 // indirect
+	github.com/sigstore/rekor v1.2.2 // indirect
+	github.com/sigstore/sigstore v1.8.2 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
 	github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 // indirect
-	github.com/sylabs/sif/v2 v2.9.0 // indirect
-	github.com/tchap/go-patricia v2.3.0+incompatible // indirect
-	github.com/theupdateframework/go-tuf v0.5.2-0.20221207161717-9cb61d6e65f5 // indirect
+	github.com/sylabs/sif/v2 v2.15.1 // indirect
+	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/ulikunitz/xz v0.5.11 // indirect
-	github.com/vbatts/tar-split v0.11.2 // indirect
-	github.com/vbauerster/mpb/v7 v7.5.3 // indirect
+	github.com/vbatts/tar-split v0.11.5 // indirect
+	github.com/vbauerster/mpb/v8 v8.7.2 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
-	go.etcd.io/bbolt v1.3.6 // indirect
-	go.mongodb.org/mongo-driver v1.11.1 // indirect
+	go.mongodb.org/mongo-driver v1.14.0 // indirect
 	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	golang.org/x/crypto v0.5.0 // indirect
-	golang.org/x/mod v0.7.0 // indirect
-	golang.org/x/net v0.5.0 // indirect
-	golang.org/x/oauth2 v0.4.0 // indirect
-	golang.org/x/sync v0.1.0 // indirect
-	golang.org/x/sys v0.4.0 // indirect
-	golang.org/x/text v0.6.0 // indirect
-	golang.org/x/tools v0.4.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20221227171554-f9683d7f8bef // indirect
-	google.golang.org/grpc v1.51.0 // indirect
-	google.golang.org/protobuf v1.28.1 // indirect
-	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 // indirect
+	go.opentelemetry.io/otel v1.19.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 // indirect
+	go.opentelemetry.io/otel/metric v1.19.0 // indirect
+	go.opentelemetry.io/otel/trace v1.19.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
+	golang.org/x/mod v0.15.0 // indirect
+	golang.org/x/net v0.22.0 // indirect
+	golang.org/x/oauth2 v0.18.0 // indirect
+	golang.org/x/sync v0.6.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/tools v0.18.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 // indirect
+	google.golang.org/grpc v1.59.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
+	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/hack/libsubid_tag.sh
+++ b/hack/libsubid_tag.sh
@@ -5,11 +5,16 @@ fi
 tmpdir="$PWD/tmp.$RANDOM"
 mkdir -p "$tmpdir"
 trap 'rm -fr "$tmpdir"' EXIT
-cc -o "$tmpdir"/libsubid_tag -l subid -x c - > /dev/null 2> /dev/null << EOF
+cc -o "$tmpdir"/libsubid_tag -x c - -l subid > /dev/null 2> /dev/null << EOF
 #include <shadow/subid.h>
+#include <stdlib.h>
 int main() {
 	struct subid_range *ranges = NULL;
+#if SUBID_ABI_MAJOR >= 4
+	subid_get_uid_ranges("root", &ranges);
+#else
 	get_subuid_ranges("root", &ranges);
+#endif
 	free(ranges);
 	return 0;
 }
--- a/hack/make.sh
+++ b/hack/make.sh
@@ -1,92 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-# This script builds various binary from a checkout of the skopeo
-# source code. DO NOT CALL THIS SCRIPT DIRECTLY.
-#
-# Requirements:
-# - The current directory should be a checkout of the skopeo source code
-#   (https://github.com/containers/skopeo). Whatever version is checked out
-#   will be built.
-# - The script is intended to be run inside the container specified
-#   in the output of hack/get_fqin.sh
-# - The right way to call this script is to invoke "make" from
-#   your checkout of the skopeo repository.
-#   the Makefile will do a "docker build -t skopeo ." and then
-#   "docker run hack/make.sh" in the resulting image.
-#
-
-set -o pipefail
-
-export SKOPEO_PKG='github.com/containers/skopeo'
-export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-export MAKEDIR="$SCRIPTDIR/make"
-
-# Set this to 1 to enable installation/modification of environment/services
-export SKOPEO_CONTAINER_TESTS=${SKOPEO_CONTAINER_TESTS:-0}
-
-if [[ "$SKOPEO_CONTAINER_TESTS" == "0" ]] && [[ "$CI" != "true" ]]; then
-    (
-    echo "***************************************************************"
-    echo "WARNING: Executing tests directly on the local development"
-    echo "         host is highly discouraged.  Many important items"
-    echo "         will be skipped.  For manual execution, please utilize"
-    echo "         the Makefile targets WITHOUT the '-local' suffix."
-    echo "***************************************************************"
-    ) > /dev/stderr
-    sleep 5
-fi
-
-echo
-
-# List of bundles to create when no argument is passed
-# TODO(runcom): these are the one left from Docker...for now
-# test-unit
-# validate-dco
-# cover
-DEFAULT_BUNDLES=(
-	validate-gofmt
-	validate-lint
-	validate-vet
-	validate-git-marks
-
-	test-integration
-)
-
-# Go module support: set `-mod=vendor` to use the vendored sources
-# See also the top-level Makefile.
-mod_vendor=
-if go help mod >/dev/null 2>&1; then
-  export GO111MODULE=on
-  mod_vendor='-mod=vendor'
-fi
-
-go_test_dir() {
-	dir=$1
-	(
-		echo '+ go test' $mod_vendor $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"} "${SKOPEO_PKG}${dir#.}"
-		cd "$dir"
-		export DEST="$ABS_DEST" # we're in a subshell, so this is safe -- our integration-cli tests need DEST, and "cd" screws it up
-		go test $mod_vendor $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"}
-	)
-}
-
-bundle() {
-	local bundle="$1"; shift
-	echo "---> Making bundle: $(basename "$bundle")"
-	source "$SCRIPTDIR/make/$bundle" "$@"
-}
-
-main() {
-	if [ $# -lt 1 ]; then
-		bundles=(${DEFAULT_BUNDLES[@]})
-	else
-		bundles=($@)
-	fi
-	for bundle in ${bundles[@]}; do
-		bundle "$bundle"
-		echo
-	done
-}
-
-main "$@"
--- a/hack/make/.validate
+++ b/hack/make/.validate
@@ -1,31 +0,0 @@
-#!/bin/bash
-
-if [ -z "$VALIDATE_UPSTREAM" ]; then
-	# this is kind of an expensive check, so let's not do this twice if we
-	# are running more than one validate bundlescript
-	
-	VALIDATE_REPO='https://github.com/containers/skopeo.git'
-	VALIDATE_BRANCH='main'
-	
-	if [ "$TRAVIS" = 'true' -a "$TRAVIS_PULL_REQUEST" != 'false' ]; then
-		VALIDATE_REPO="https://github.com/${TRAVIS_REPO_SLUG}.git"
-		VALIDATE_BRANCH="${TRAVIS_BRANCH}"
-	fi
-	
-	VALIDATE_HEAD="$(git rev-parse --verify HEAD)"
-	
-	git fetch -q "$VALIDATE_REPO" "refs/heads/$VALIDATE_BRANCH"
-	VALIDATE_UPSTREAM="$(git rev-parse --verify FETCH_HEAD)"
-	
-	VALIDATE_COMMIT_LOG="$VALIDATE_UPSTREAM..$VALIDATE_HEAD"
-	VALIDATE_COMMIT_DIFF="$VALIDATE_UPSTREAM...$VALIDATE_HEAD"
-	
-	validate_diff() {
-		git diff "$VALIDATE_UPSTREAM" "$@"
-	}
-	validate_log() {
-		if [ "$VALIDATE_UPSTREAM" != "$VALIDATE_HEAD" ]; then
-			git log "$VALIDATE_COMMIT_LOG" "$@"
-		fi
-	}
-fi
--- a/hack/make/test-integration
+++ b/hack/make/test-integration
@@ -1,12 +0,0 @@
-#!/bin/bash
-set -e
-
-bundle_test_integration() {
-	go_test_dir ./integration
-}
-
-# subshell so that we can export PATH without breaking other things
-(
-	make PREFIX=/usr install
-	bundle_test_integration
-) 2>&1
--- a/hack/make/validate-git-marks
+++ b/hack/make/validate-git-marks
@@ -1,44 +0,0 @@
-#!/usr/bin/env bash
-
-source "$(dirname "$BASH_SOURCE")/.validate"
-
-# folders=$(find * -type d | egrep -v '^Godeps|bundles|.git')
-
-IFS=$'\n'
-files=( $(validate_diff --diff-filter=ACMR --name-only -- '*' | grep -v '^vendor/' || true) )
-unset IFS
-
-badFiles=()
-for f in "${files[@]}"; do
-    if [ $(grep -r "^<<<<<<<" $f) ]; then
-        badFiles+=( "$f" )
-        continue
-    fi
-
-    if [ $(grep -r "^>>>>>>>" $f) ]; then
-        badFiles+=( "$f" )
-        continue
-    fi
-
-    if [ $(grep -r "^=======$" $f) ]; then
-        badFiles+=( "$f" )
-        continue
-    fi
-    set -e
-done
-
-
-if [ ${#badFiles[@]} -eq 0 ]; then
-	echo 'Congratulations!  There is no conflict.'
-else
-	{
-		echo "There is trace of conflict(s) in the following files :"
-		for f in "${badFiles[@]}"; do
-			echo " - $f"
-		done
-		echo
-		echo 'Please fix the conflict(s) commit the result.'
-		echo
-	} >&2
-	false
-fi
--- a/hack/make/validate-lint
+++ b/hack/make/validate-lint
@@ -1,33 +0,0 @@
-#!/bin/bash
-
-source "$(dirname "$BASH_SOURCE")/.validate"
-
-# We will eventually get to the point where packages should be the complete list
-# of subpackages, vendoring excluded, as given by:
-#
-IFS=$'\n'
-files=( $(validate_diff --diff-filter=ACMR --name-only -- '*.go' | grep -v '^vendor/\|^integration' || true) )
-unset IFS
-
-errors=()
-for f in "${files[@]}"; do
-	failedLint=$(golint "$f")
-	if [ "$failedLint" ]; then
-		errors+=( "$failedLint" )
-	fi
-done
-
-if [ ${#errors[@]} -eq 0 ]; then
-	echo 'Congratulations!  All Go source files have been linted.'
-else
-	{
-		echo "Errors from golint:"
-		for err in "${errors[@]}"; do
-			echo "$err"
-		done
-		echo
-		echo 'Please fix the above errors. You can test via "golint" and commit the result.'
-		echo
-	} >&2
-	false
-fi
--- a/hack/test-integration.sh
+++ b/hack/test-integration.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+set -e
+
+make PREFIX=/usr install
+
+echo "cd ./integration;" go test $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"}
+cd ./integration
+go test $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"}
--- a/hack/make/test-system
+++ b/hack/make/test-system
@@ -8,7 +8,7 @@ set -e
 #
 # Paradoxically (FIXME: clean this up), SKOPEO_CONTAINER_TESTS is set
 # both inside a container and without a container (in a CI VM); it actually means
-# "it is safe to desctructively modify the system for tests".
+# "it is safe to destructively modify the system for tests".
 #
 # On a CI VM, we can just use Podman as it is already configured; the changes below,
 # to use VFS, are necessary only inside a container, because overlay-inside-overlay
--- a/hack/validate-git-marks.sh
+++ b/hack/validate-git-marks.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+IFS=$'\n'
+files=( $(git ls-tree -r HEAD --name-only | grep -v '^vendor/' || true) )
+unset IFS
+
+badFiles=()
+for f in "${files[@]}"; do
+    if [ $(grep -r "^\(<<<<<<<\|>>>>>>>\|^=======$\)" $f) ]; then
+        badFiles+=( "$f" )
+        continue
+    fi
+    set -e
+done
+
+
+if [ ${#badFiles[@]} -eq 0 ]; then
+	echo 'Congratulations!  There is no conflict.'
+else
+	{
+		echo "There is trace of conflict(s) in the following files :"
+		for f in "${badFiles[@]}"; do
+			echo " - $f"
+		done
+		echo
+		echo 'Please fix the conflict(s) commit the result.'
+		echo
+	} >&2
+	exit 1
+fi
--- a/hack/make/validate-gofmt
+++ b/hack/make/validate-gofmt
@@ -1,9 +1,7 @@
 #!/bin/bash

-source "$(dirname "$BASH_SOURCE")/.validate"
-
 IFS=$'\n'
-files=( $(validate_diff --diff-filter=ACMR --name-only -- '*.go' | grep -v '^vendor/' || true) )
+files=( $(find . -name '*.go' | grep -v '^./vendor/' | sort || true) )
 unset IFS

 badFiles=()
@@ -25,5 +23,5 @@ else
 		echo 'Please reformat the above files using "gofmt -s -w" and commit the result.'
 		echo
 	} >&2
-	false
+	exit 1
 fi
--- a/hack/validate-lint.sh
+++ b/hack/validate-lint.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+errors=$($GOBIN/golangci-lint run --build-tags "${BUILDTAGS}" 2>&1)
+
+if [ -z "$errors" ]; then
+	echo 'Congratulations!  All Go source files have been linted.'
+else
+	{
+		echo "Errors from golangci-lint:"
+		echo "$errors"
+		echo
+		echo 'Please fix the above errors. You can test via "golangci-lint" and commit the result.'
+		echo
+	} >&2
+	exit 1
+fi
--- a/hack/make/validate-vet
+++ b/hack/make/validate-vet
@@ -1,6 +1,6 @@
 #!/bin/bash

-errors=$(go vet -tags="${BUILDTAGS}" $mod_vendor $(go list $mod_vendor -e ./...))
+errors=$(go vet -tags="${BUILDTAGS}" ./... 2>&1)

 if [ -z "$errors" ]; then
 	echo 'Congratulations!  All Go source files have been vetted.'
@@ -12,5 +12,5 @@ else
 		echo 'Please fix the above errors. You can test via "go vet" and commit the result.'
 		echo
 	} >&2
-	false
+	exit 1
 fi
--- a/hack/warn-destructive-tests.sh
+++ b/hack/warn-destructive-tests.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+set -e
+
+# Set this to 1 to enable installation/modification of environment/services
+export SKOPEO_CONTAINER_TESTS=${SKOPEO_CONTAINER_TESTS:-0}
+
+if [[ "$SKOPEO_CONTAINER_TESTS" == "0" ]] && [[ "$CI" != "true" ]]; then
+    (
+    echo "***************************************************************"
+    echo "WARNING: Executing tests directly on the local development"
+    echo "         host is highly discouraged.  Many important items"
+    echo "         will be skipped.  For manual execution, please utilize"
+    echo "         the Makefile targets WITHOUT the '-local' suffix."
+    echo "***************************************************************"
+    ) > /dev/stderr
+    sleep 5
+fi
--- a/install.md
+++ b/install.md
@@ -55,6 +55,22 @@ sudo apk add skopeo

 [Package Info](https://pkgs.alpinelinux.org/packages?name=skopeo)

+### Gentoo
+
+```sh
+sudo emerge app-containers/skopeo
+```
+
+[Package Info](https://packages.gentoo.org/packages/app-containers/skopeo)
+
+### Arch Linux
+
+```sh
+sudo pacman -S skopeo
+```
+
+[Package Info](https://archlinux.org/packages/extra/x86_64/skopeo/)
+
 ### macOS

 ```sh
@@ -106,7 +122,6 @@ Skopeo has not yet been packaged for Windows. There is an [open feature
 request](https://github.com/containers/skopeo/issues/715) and contributions are
 always welcome.

-
 ## Container Images

 Skopeo container images are available at `quay.io/skopeo/stable:latest`.
@@ -116,14 +131,15 @@ For example,
 podman run docker://quay.io/skopeo/stable:latest copy --help
 ```

-[Read more](./contrib/skopeoimage/README.md).
+The skopeo container image build context and automation are
+located at [https://github.com/containers/image_build/tree/main/skopeo](https://github.com/containers/image_build/tree/main/skopeo)


 ## Building from Source

 Otherwise, read on for building and installing it from source:

-To build the `skopeo` binary you need at least Go 1.12.
+To build the `skopeo` binary you need at least Go 1.19.

 There are two ways to build skopeo: in a container, or locally without a
 container. Choose the one which better matches your needs and environment.
@@ -159,6 +175,11 @@ brew install gpgme
 sudo zypper install libgpgme-devel device-mapper-devel libbtrfs-devel glib2-devel
 ```

+```bash
+# Arch Linux:
+sudo pacman -S base-devel gpgme device-mapper btrfs-progs
+```
+
 Make sure to clone this repository in your `GOPATH` - otherwise compilation fails.

 ```bash
@@ -174,6 +195,22 @@ document generation can be skipped by passing `DISABLE_DOCS=1`:
 DISABLE_DOCS=1 make
 ```

+#### Additional prerequisites
+
+In order to dynamically link against system libraries and avoid compilation errors the ```CGO_ENABLED='1'``` flag must be enabled. You can easily check by ```go env | grep CGO_ENABLED```.
+
+An alternative would be to set the `BUILDTAGS=containers_image_openpgp` (this removes the dependency on `libgpgme` and its companion libraries).
+
+### Cross-compilation
+
+For cross-building skopeo, use the command `make bin/skopeo.OS.ARCH`, where OS represents
+the target operating system and ARCH stands for the desired architecture. For instance,
+to build skopeo for RISC-V 64-bit Linux, execute:
+
+```bash
+make bin/skopeo.linux.riscv64
+```
+
 ### Building documentation

 To build the manual you will need go-md2man.
@@ -235,15 +272,8 @@ There have been efforts in the past to produce and maintain static builds, but t

 That being said, if you would like to build Skopeo statically, you might be able to do it by combining all the following steps.
 - Export environment variable `CGO_ENABLED=0` (disabling CGO causes Go to prefer native libraries when possible, instead of dynamically linking against system libraries).
- Set the `BUILDTAGS=containers_image_openpgp` Make variable (this remove the dependency on `libgpgme` and its companion libraries).
- Clear the `GO_DYN_FLAGS` Make variable (which otherwise seems to force the creation of a dynamic executable).
-
-The following command implements these steps to produce a static binary in the `bin` subdirectory of the repository:
-
-```bash
-docker run -v $PWD:/src -w /src -e CGO_ENABLED=0 golang \
-make BUILDTAGS=containers_image_openpgp GO_DYN_FLAGS=
-```
+- Set the `BUILDTAGS=containers_image_openpgp` Make variable (this removes the dependency on `libgpgme` and its companion libraries).
+- Clear the `GO_DYN_FLAGS` Make variable if even a dependency on the ELF interpreter is undesirable.

 Keep in mind that the resulting binary is unsupported and might crash randomly. Only use if you know what you're doing!

--- a/integration/blocked_test.go
+++ b/integration/blocked_test.go
@@ -1,34 +1,34 @@
 package main

-import (
-	"gopkg.in/check.v1"
-)
-
 const blockedRegistriesConf = "./fixtures/blocked-registries.conf"
 const blockedErrorRegex = `.*registry registry-blocked.com is blocked in .*`

-func (s *SkopeoSuite) TestCopyBlockedSource(c *check.C) {
-	assertSkopeoFails(c, blockedErrorRegex,
+func (s *skopeoSuite) TestCopyBlockedSource() {
+	t := s.T()
+	assertSkopeoFails(t, blockedErrorRegex,
 		"--registries-conf", blockedRegistriesConf, "copy",
 		"docker://registry-blocked.com/image:test",
 		"docker://registry-unblocked.com/image:test")
 }

-func (s *SkopeoSuite) TestCopyBlockedDestination(c *check.C) {
-	assertSkopeoFails(c, blockedErrorRegex,
+func (s *skopeoSuite) TestCopyBlockedDestination() {
+	t := s.T()
+	assertSkopeoFails(t, blockedErrorRegex,
 		"--registries-conf", blockedRegistriesConf, "copy",
 		"docker://registry-unblocked.com/image:test",
 		"docker://registry-blocked.com/image:test")
 }

-func (s *SkopeoSuite) TestInspectBlocked(c *check.C) {
-	assertSkopeoFails(c, blockedErrorRegex,
+func (s *skopeoSuite) TestInspectBlocked() {
+	t := s.T()
+	assertSkopeoFails(t, blockedErrorRegex,
 		"--registries-conf", blockedRegistriesConf, "inspect",
 		"docker://registry-blocked.com/image:test")
 }

-func (s *SkopeoSuite) TestDeleteBlocked(c *check.C) {
-	assertSkopeoFails(c, blockedErrorRegex,
+func (s *skopeoSuite) TestDeleteBlocked() {
+	t := s.T()
+	assertSkopeoFails(t, blockedErrorRegex,
 		"--registries-conf", blockedRegistriesConf, "delete",
 		"docker://registry-blocked.com/image:test")
 }
--- a/integration/check_test.go
+++ b/integration/check_test.go
@@ -6,7 +6,9 @@ import (
 	"testing"

 	"github.com/containers/skopeo/version"
-	"gopkg.in/check.v1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/suite"
 )

 const (
@@ -14,98 +16,104 @@ const (
 	privateRegistryURL1 = "127.0.0.1:5001"
 )

-func Test(t *testing.T) {
-	check.TestingT(t)
+func TestSkopeo(t *testing.T) {
+	suite.Run(t, &skopeoSuite{})
 }

-func init() {
-	check.Suite(&SkopeoSuite{})
-}
-
-type SkopeoSuite struct {
+type skopeoSuite struct {
+	suite.Suite
 	regV2         *testRegistryV2
 	regV2WithAuth *testRegistryV2
 }

-func (s *SkopeoSuite) SetUpSuite(c *check.C) {
+var _ = suite.SetupAllSuite(&skopeoSuite{})
+var _ = suite.TearDownAllSuite(&skopeoSuite{})
+
+func (s *skopeoSuite) SetupSuite() {
+	t := s.T()
 	_, err := exec.LookPath(skopeoBinary)
-	c.Assert(err, check.IsNil)
-	s.regV2 = setupRegistryV2At(c, privateRegistryURL0, false, false)
-	s.regV2WithAuth = setupRegistryV2At(c, privateRegistryURL1, true, false)
+	require.NoError(t, err)
+	s.regV2 = setupRegistryV2At(t, privateRegistryURL0, false, false)
+	s.regV2WithAuth = setupRegistryV2At(t, privateRegistryURL1, true, false)
 }

-func (s *SkopeoSuite) TearDownSuite(c *check.C) {
+func (s *skopeoSuite) TearDownSuite() {
 	if s.regV2 != nil {
-		s.regV2.tearDown(c)
+		s.regV2.tearDown()
 	}
 	if s.regV2WithAuth != nil {
-		//cmd := exec.Command("docker", "logout", s.regV2WithAuth)
-		//c.Assert(cmd.Run(), check.IsNil)
-		s.regV2WithAuth.tearDown(c)
+		// cmd := exec.Command("docker", "logout", s.regV2WithAuth)
+		// require.Noerror(t, cmd.Run())
+		s.regV2WithAuth.tearDown()
 	}
 }

-// TODO like dockerCmd but much easier, just out,err
-//func skopeoCmd()
-
-func (s *SkopeoSuite) TestVersion(c *check.C) {
-	assertSkopeoSucceeds(c, fmt.Sprintf(".*%s version %s.*", skopeoBinary, version.Version),
+func (s *skopeoSuite) TestVersion() {
+	t := s.T()
+	assertSkopeoSucceeds(t, fmt.Sprintf(".*%s version %s.*", skopeoBinary, version.Version),
 		"--version")
 }

-func (s *SkopeoSuite) TestCanAuthToPrivateRegistryV2WithoutDockerCfg(c *check.C) {
-	assertSkopeoFails(c, ".*manifest unknown.*",
+func (s *skopeoSuite) TestCanAuthToPrivateRegistryV2WithoutDockerCfg() {
+	t := s.T()
+	assertSkopeoFails(t, ".*manifest unknown.*",
 		"--tls-verify=false", "inspect", "--creds="+s.regV2WithAuth.username+":"+s.regV2WithAuth.password, fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
 }

-func (s *SkopeoSuite) TestNeedAuthToPrivateRegistryV2WithoutDockerCfg(c *check.C) {
-	assertSkopeoFails(c, ".*authentication required.*",
+func (s *skopeoSuite) TestNeedAuthToPrivateRegistryV2WithoutDockerCfg() {
+	t := s.T()
+	assertSkopeoFails(t, ".*authentication required.*",
 		"--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
 }

-func (s *SkopeoSuite) TestCertDirInsteadOfCertPath(c *check.C) {
-	assertSkopeoFails(c, ".*unknown flag: --cert-path.*",
+func (s *skopeoSuite) TestCertDirInsteadOfCertPath() {
+	t := s.T()
+	assertSkopeoFails(t, ".*unknown flag: --cert-path.*",
 		"--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url), "--cert-path=/")
-	assertSkopeoFails(c, ".*authentication required.*",
+	assertSkopeoFails(t, ".*authentication required.*",
 		"--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url), "--cert-dir=/etc/docker/certs.d/")
 }

 // TODO(runcom): as soon as we can push to registries ensure you can inspect here
 // not just get image not found :)
-func (s *SkopeoSuite) TestNoNeedAuthToPrivateRegistryV2ImageNotFound(c *check.C) {
+func (s *skopeoSuite) TestNoNeedAuthToPrivateRegistryV2ImageNotFound() {
+	t := s.T()
 	out, err := exec.Command(skopeoBinary, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2.url)).CombinedOutput()
-	c.Assert(err, check.NotNil, check.Commentf(string(out)))
-	c.Assert(string(out), check.Matches, "(?s).*manifest unknown.*")                                 // (?s) : '.' will also match newlines
-	c.Assert(string(out), check.Not(check.Matches), "(?s).*unauthorized: authentication required.*") // (?s) : '.' will also match newlines
+	assert.Error(t, err, "%s", string(out))
+	assert.Regexp(t, "(?s).*manifest unknown.*", string(out))                         // (?s) : '.' will also match newlines
+	assert.NotRegexp(t, "(?s).*unauthorized: authentication required.*", string(out)) // (?s) : '.' will also match newlines
 }

-func (s *SkopeoSuite) TestInspectFailsWhenReferenceIsInvalid(c *check.C) {
-	assertSkopeoFails(c, `.*Invalid image name.*`, "inspect", "unknown")
+func (s *skopeoSuite) TestInspectFailsWhenReferenceIsInvalid() {
+	t := s.T()
+	assertSkopeoFails(t, `.*Invalid image name.*`, "inspect", "unknown")
 }

-func (s *SkopeoSuite) TestLoginLogout(c *check.C) {
-	assertSkopeoSucceeds(c, "^Login Succeeded!\n$",
+func (s *skopeoSuite) TestLoginLogout() {
+	t := s.T()
+	assertSkopeoSucceeds(t, "^Login Succeeded!\n$",
 		"login", "--tls-verify=false", "--username="+s.regV2WithAuth.username, "--password="+s.regV2WithAuth.password, s.regV2WithAuth.url)
 	// test --get-login returns username
-	assertSkopeoSucceeds(c, fmt.Sprintf("^%s\n$", s.regV2WithAuth.username),
+	assertSkopeoSucceeds(t, fmt.Sprintf("^%s\n$", s.regV2WithAuth.username),
 		"login", "--tls-verify=false", "--get-login", s.regV2WithAuth.url)
 	// test logout
-	assertSkopeoSucceeds(c, fmt.Sprintf("^Removed login credentials for %s\n$", s.regV2WithAuth.url),
+	assertSkopeoSucceeds(t, fmt.Sprintf("^Removed login credentials for %s\n$", s.regV2WithAuth.url),
 		"logout", s.regV2WithAuth.url)
 }

-func (s *SkopeoSuite) TestCopyWithLocalAuth(c *check.C) {
-	assertSkopeoSucceeds(c, "^Login Succeeded!\n$",
+func (s *skopeoSuite) TestCopyWithLocalAuth() {
+	t := s.T()
+	assertSkopeoSucceeds(t, "^Login Succeeded!\n$",
 		"login", "--tls-verify=false", "--username="+s.regV2WithAuth.username, "--password="+s.regV2WithAuth.password, s.regV2WithAuth.url)
 	// copy to private registry using local authentication
 	imageName := fmt.Sprintf("docker://%s/busybox:mine", s.regV2WithAuth.url)
-	assertSkopeoSucceeds(c, "", "copy", "--dest-tls-verify=false", testFQIN+":latest", imageName)
+	assertSkopeoSucceeds(t, "", "copy", "--dest-tls-verify=false", testFQIN+":latest", imageName)
 	// inspect from private registry
-	assertSkopeoSucceeds(c, "", "inspect", "--tls-verify=false", imageName)
+	assertSkopeoSucceeds(t, "", "inspect", "--tls-verify=false", imageName)
 	// logout from the registry
-	assertSkopeoSucceeds(c, fmt.Sprintf("^Removed login credentials for %s\n$", s.regV2WithAuth.url),
+	assertSkopeoSucceeds(t, fmt.Sprintf("^Removed login credentials for %s\n$", s.regV2WithAuth.url),
 		"logout", s.regV2WithAuth.url)
 	// inspect from private registry should fail after logout
-	assertSkopeoFails(c, ".*authentication required.*",
+	assertSkopeoFails(t, ".*authentication required.*",
 		"inspect", "--tls-verify=false", imageName)
 }
--- a/integration/copy_test.go
+++ b/integration/copy_test.go
--- a/integration/decompress-dirs.sh
+++ b/integration/decompress-dirs.sh
@@ -1,23 +0,0 @@
-#!/bin/bash -e
-# Account for differences between dir: images that are solely due to one being
-# compressed (fresh from a registry) and the other not being compressed (read
-# from storage, which decompressed it and had to reassemble the layer blobs).
-for dir in "$@" ; do
-    # Updating the manifest's blob digests may change the formatting, so
-    # use jq to get them into similar shape.
-    jq -M . "${dir}"/manifest.json > "${dir}"/manifest.json.tmp && mv "${dir}"/manifest.json.tmp "${dir}"/manifest.json
-    for candidate in "${dir}"/???????????????????????????????????????????????????????????????? ; do
-        # If a digest-identified file looks like it was compressed,
-        # decompress it, and replace its hash and size in the manifest
-        # with the values for their decompressed versions.
-        uncompressed=`zcat "${candidate}" 2> /dev/null | sha256sum | cut -c1-64`
-        if test $? -eq 0 ; then
-            if test "$uncompressed" != e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ; then
-                zcat "${candidate}" > "${dir}"/${uncompressed}
-                sed -r -i -e "s#sha256:$(basename ${candidate})#sha256:${uncompressed}#g" "${dir}"/manifest.json
-                sed -r -i -e "s#\"size\": $(wc -c < ${candidate}),#\"size\": $(wc -c < ${dir}/${uncompressed}),#g" "${dir}"/manifest.json
-                rm -f "${candidate}"
-            fi
-        fi
-    done
-done
--- a/integration/openshift.go
+++ b/integration/openshift.go
@@ -9,10 +9,11 @@ import (
 	"os/exec"
 	"path/filepath"
 	"strings"
+	"testing"
 	"time"

 	"github.com/containers/storage/pkg/homedir"
-	"gopkg.in/check.v1"
+	"github.com/stretchr/testify/require"
 )

 var adminKUBECONFIG = map[string]string{
@@ -30,21 +31,21 @@ type openshiftCluster struct {
 // startOpenshiftCluster creates a new openshiftCluster.
 // WARNING: This affects state in users' home directory! Only run
 // in isolated test environment.
-func startOpenshiftCluster(c *check.C) *openshiftCluster {
+func startOpenshiftCluster(t *testing.T) *openshiftCluster {
 	cluster := &openshiftCluster{}
-	cluster.workingDir = c.MkDir()
+	cluster.workingDir = t.TempDir()

-	cluster.startMaster(c)
-	cluster.prepareRegistryConfig(c)
-	cluster.startRegistry(c)
-	cluster.ocLoginToProject(c)
-	cluster.dockerLogin(c)
-	cluster.relaxImageSignerPermissions(c)
+	cluster.startMaster(t)
+	cluster.prepareRegistryConfig(t)
+	cluster.startRegistry(t)
+	cluster.ocLoginToProject(t)
+	cluster.dockerLogin(t)
+	cluster.relaxImageSignerPermissions(t)

 	return cluster
 }

-// clusterCmd creates an exec.Cmd in cluster.workingDir with current environment modified by environment
+// clusterCmd creates an exec.Cmd in cluster.workingDir with current environment modified by environment.
 func (cluster *openshiftCluster) clusterCmd(env map[string]string, name string, args ...string) *exec.Cmd {
 	cmd := exec.Command(name, args...)
 	cmd.Dir = cluster.workingDir
@@ -56,21 +57,20 @@ func (cluster *openshiftCluster) clusterCmd(env map[string]string, name string,
 }

 // startMaster starts the OpenShift master (etcd+API server) and waits for it to be ready, or terminates on failure.
-func (cluster *openshiftCluster) startMaster(c *check.C) {
+func (cluster *openshiftCluster) startMaster(t *testing.T) {
 	cmd := cluster.clusterCmd(nil, "openshift", "start", "master")
 	cluster.processes = append(cluster.processes, cmd)
 	stdout, err := cmd.StdoutPipe()
-	c.Assert(err, check.IsNil)
-	// Send both to the same pipe. This might cause the two streams to be mixed up,
+	require.NoError(t, err)
 	// but logging actually goes only to stderr - this primarily ensure we log any
 	// unexpected output to stdout.
 	cmd.Stderr = cmd.Stdout
 	err = cmd.Start()
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

-	portOpen, terminatePortCheck := newPortChecker(c, 8443)
+	portOpen, terminatePortCheck := newPortChecker(t, 8443)
 	defer func() {
-		c.Logf("Terminating port check")
+		t.Logf("Terminating port check")
 		terminatePortCheck <- true
 	}()

@@ -78,12 +78,12 @@ func (cluster *openshiftCluster) startMaster(c *check.C) {
 	logCheckFound := make(chan bool)
 	go func() {
 		defer func() {
-			c.Logf("Log checker exiting")
+			t.Logf("Log checker exiting")
 		}()
 		scanner := bufio.NewScanner(stdout)
 		for scanner.Scan() {
 			line := scanner.Text()
-			c.Logf("Log line: %s", line)
+			t.Logf("Log line: %s", line)
 			if strings.Contains(line, "Started Origin Controllers") {
 				logCheckFound <- true
 				return
@@ -92,7 +92,7 @@ func (cluster *openshiftCluster) startMaster(c *check.C) {
 			// Note: we can block before we get here.
 			select {
 			case <-terminateLogCheck:
-				c.Logf("terminated")
+				t.Logf("terminated")
 				return
 			default:
 				// Do not block here and read the next line.
@@ -101,7 +101,7 @@ func (cluster *openshiftCluster) startMaster(c *check.C) {
 		logCheckFound <- false
 	}()
 	defer func() {
-		c.Logf("Terminating log check")
+		t.Logf("Terminating log check")
 		terminateLogCheck <- true
 	}()

@@ -110,26 +110,26 @@ func (cluster *openshiftCluster) startMaster(c *check.C) {
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
 	defer cancel()
 	for !gotPortCheck || !gotLogCheck {
-		c.Logf("Waiting for master")
+		t.Logf("Waiting for master")
 		select {
 		case <-portOpen:
-			c.Logf("port check done")
+			t.Logf("port check done")
 			gotPortCheck = true
 		case found := <-logCheckFound:
-			c.Logf("log check done, found: %t", found)
+			t.Logf("log check done, found: %t", found)
 			if !found {
-				c.Fatal("log check done, success message not found")
+				t.Fatal("log check done, success message not found")
 			}
 			gotLogCheck = true
 		case <-ctx.Done():
-			c.Fatalf("Timed out waiting for master: %v", ctx.Err())
+			t.Fatalf("Timed out waiting for master: %v", ctx.Err())
 		}
 	}
-	c.Logf("OK, master started!")
+	t.Logf("OK, master started!")
 }

 // prepareRegistryConfig creates a registry service account and a related k8s client configuration in ${cluster.workingDir}/openshift.local.registry.
-func (cluster *openshiftCluster) prepareRegistryConfig(c *check.C) {
+func (cluster *openshiftCluster) prepareRegistryConfig(t *testing.T) {
 	// This partially mimics the objects created by (oadm registry), except that we run the
 	// server directly as an ordinary process instead of a pod with an implicitly attached service account.
 	saJSON := `{
@@ -140,93 +140,93 @@ func (cluster *openshiftCluster) prepareRegistryConfig(c *check.C) {
 		}
 	}`
 	cmd := cluster.clusterCmd(adminKUBECONFIG, "oc", "create", "-f", "-")
-	runExecCmdWithInput(c, cmd, saJSON)
+	runExecCmdWithInput(t, cmd, saJSON)

 	cmd = cluster.clusterCmd(adminKUBECONFIG, "oadm", "policy", "add-cluster-role-to-user", "system:registry", "-z", "registry")
 	out, err := cmd.CombinedOutput()
-	c.Assert(err, check.IsNil, check.Commentf("%s", string(out)))
-	c.Assert(string(out), check.Equals, "cluster role \"system:registry\" added: \"registry\"\n")
+	require.NoError(t, err, "%s", string(out))
+	require.Equal(t, "cluster role \"system:registry\" added: \"registry\"\n", string(out))

 	cmd = cluster.clusterCmd(adminKUBECONFIG, "oadm", "create-api-client-config", "--client-dir=openshift.local.registry", "--basename=openshift-registry", "--user=system:serviceaccount:default:registry")
 	out, err = cmd.CombinedOutput()
-	c.Assert(err, check.IsNil, check.Commentf("%s", string(out)))
-	c.Assert(string(out), check.Equals, "")
+	require.NoError(t, err, "%s", string(out))
+	require.Equal(t, "", string(out))
 }

 // startRegistry starts the OpenShift registry with configPart on port, waits for it to be ready, and returns the process object, or terminates on failure.
-func (cluster *openshiftCluster) startRegistryProcess(c *check.C, port int, configPath string) *exec.Cmd {
+func (cluster *openshiftCluster) startRegistryProcess(t *testing.T, port uint16, configPath string) *exec.Cmd {
 	cmd := cluster.clusterCmd(map[string]string{
 		"KUBECONFIG":          "openshift.local.registry/openshift-registry.kubeconfig",
 		"DOCKER_REGISTRY_URL": fmt.Sprintf("127.0.0.1:%d", port),
 	}, "dockerregistry", configPath)
-	consumeAndLogOutputs(c, fmt.Sprintf("registry-%d", port), cmd)
+	consumeAndLogOutputs(t, fmt.Sprintf("registry-%d", port), cmd)
 	err := cmd.Start()
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err, "%s")

-	portOpen, terminatePortCheck := newPortChecker(c, port)
+	portOpen, terminatePortCheck := newPortChecker(t, port)
 	defer func() {
 		terminatePortCheck <- true
 	}()
-	c.Logf("Waiting for registry to start")
+	t.Logf("Waiting for registry to start")
 	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
 	defer cancel()
 	select {
 	case <-portOpen:
-		c.Logf("OK, Registry port open")
+		t.Logf("OK, Registry port open")
 	case <-ctx.Done():
-		c.Fatalf("Timed out waiting for registry to start: %v", ctx.Err())
+		t.Fatalf("Timed out waiting for registry to start: %v", ctx.Err())
 	}

 	return cmd
 }

 // startRegistry starts the OpenShift registry and waits for it to be ready, or terminates on failure.
-func (cluster *openshiftCluster) startRegistry(c *check.C) {
+func (cluster *openshiftCluster) startRegistry(t *testing.T) {
 	// Our “primary” registry
-	cluster.processes = append(cluster.processes, cluster.startRegistryProcess(c, 5000, "/atomic-registry-config.yml"))
+	cluster.processes = append(cluster.processes, cluster.startRegistryProcess(t, 5000, "/atomic-registry-config.yml"))

 	// A registry configured with acceptschema2:false
-	schema1Config := fileFromFixture(c, "/atomic-registry-config.yml", map[string]string{
+	schema1Config := fileFromFixture(t, "/atomic-registry-config.yml", map[string]string{
 		"addr: :5000":              "addr: :5005",
 		"rootdirectory: /registry": "rootdirectory: /registry-schema1",
 		// The default configuration currently already contains acceptschema2: false
 	})
 	// Make sure the configuration contains "acceptschema2: false", because eventually it will be enabled upstream and this function will need to be updated.
 	configContents, err := os.ReadFile(schema1Config)
-	c.Assert(err, check.IsNil)
-	c.Assert(string(configContents), check.Matches, "(?s).*acceptschema2: false.*")
-	cluster.processes = append(cluster.processes, cluster.startRegistryProcess(c, 5005, schema1Config))
+	require.NoError(t, err)
+	require.Regexp(t, "(?s).*acceptschema2: false.*", string(configContents))
+	cluster.processes = append(cluster.processes, cluster.startRegistryProcess(t, 5005, schema1Config))

 	// A registry configured with acceptschema2:true
-	schema2Config := fileFromFixture(c, "/atomic-registry-config.yml", map[string]string{
+	schema2Config := fileFromFixture(t, "/atomic-registry-config.yml", map[string]string{
 		"addr: :5000":              "addr: :5006",
 		"rootdirectory: /registry": "rootdirectory: /registry-schema2",
 		"acceptschema2: false":     "acceptschema2: true",
 	})
-	cluster.processes = append(cluster.processes, cluster.startRegistryProcess(c, 5006, schema2Config))
+	cluster.processes = append(cluster.processes, cluster.startRegistryProcess(t, 5006, schema2Config))
 }

 // ocLogin runs (oc login) and (oc new-project) on the cluster, or terminates on failure.
-func (cluster *openshiftCluster) ocLoginToProject(c *check.C) {
-	c.Logf("oc login")
+func (cluster *openshiftCluster) ocLoginToProject(t *testing.T) {
+	t.Logf("oc login")
 	cmd := cluster.clusterCmd(nil, "oc", "login", "--certificate-authority=openshift.local.config/master/ca.crt", "-u", "myuser", "-p", "mypw", "https://localhost:8443")
 	out, err := cmd.CombinedOutput()
-	c.Assert(err, check.IsNil, check.Commentf("%s", out))
-	c.Assert(string(out), check.Matches, "(?s).*Login successful.*") // (?s) : '.' will also match newlines
+	require.NoError(t, err, "%s", out)
+	require.Regexp(t, "(?s).*Login successful.*", string(out)) // (?s) : '.' will also match newlines

-	outString := combinedOutputOfCommand(c, "oc", "new-project", "myns")
-	c.Assert(outString, check.Matches, `(?s).*Now using project "myns".*`) // (?s) : '.' will also match newlines
+	outString := combinedOutputOfCommand(t, "oc", "new-project", "myns")
+	require.Regexp(t, `(?s).*Now using project "myns".*`, outString) // (?s) : '.' will also match newlines
 }

 // dockerLogin simulates (docker login) to the cluster, or terminates on failure.
 // We do not run (docker login) directly, because that requires a running daemon and a docker package.
-func (cluster *openshiftCluster) dockerLogin(c *check.C) {
+func (cluster *openshiftCluster) dockerLogin(t *testing.T) {
 	cluster.dockerDir = filepath.Join(homedir.Get(), ".docker")
 	err := os.Mkdir(cluster.dockerDir, 0700)
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

-	out := combinedOutputOfCommand(c, "oc", "config", "view", "-o", "json", "-o", "jsonpath={.users[*].user.token}")
-	c.Logf("oc config value: %s", out)
+	out := combinedOutputOfCommand(t, "oc", "config", "view", "-o", "json", "-o", "jsonpath={.users[*].user.token}")
+	t.Logf("oc config value: %s", out)
 	authValue := base64.StdEncoding.EncodeToString([]byte("unused:" + out))
 	auths := []string{}
 	for _, port := range []int{5000, 5005, 5006} {
@@ -237,22 +237,22 @@ func (cluster *openshiftCluster) dockerLogin(c *check.C) {
 	}
 	configJSON := `{"auths": {` + strings.Join(auths, ",") + `}}`
 	err = os.WriteFile(filepath.Join(cluster.dockerDir, "config.json"), []byte(configJSON), 0600)
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 }

 // relaxImageSignerPermissions opens up the system:image-signer permissions so that
 // anyone can work with signatures
 // FIXME: This also allows anyone to DoS anyone else; this design is really not all
 // that workable, but it is the best we can do for now.
-func (cluster *openshiftCluster) relaxImageSignerPermissions(c *check.C) {
+func (cluster *openshiftCluster) relaxImageSignerPermissions(t *testing.T) {
 	cmd := cluster.clusterCmd(adminKUBECONFIG, "oadm", "policy", "add-cluster-role-to-group", "system:image-signer", "system:authenticated")
 	out, err := cmd.CombinedOutput()
-	c.Assert(err, check.IsNil, check.Commentf("%s", string(out)))
-	c.Assert(string(out), check.Equals, "cluster role \"system:image-signer\" added: \"system:authenticated\"\n")
+	require.NoError(t, err, "%s", string(out))
+	require.Equal(t, "cluster role \"system:image-signer\" added: \"system:authenticated\"\n", string(out))
 }

 // tearDown stops the cluster services and deletes (only some!) of the state.
-func (cluster *openshiftCluster) tearDown(c *check.C) {
+func (cluster *openshiftCluster) tearDown(t *testing.T) {
 	for i := len(cluster.processes) - 1; i >= 0; i-- {
 		// It’s undocumented what Kill() returns if the process has terminated,
 		// so we couldn’t check just for that. This is running in a container anyway…
@@ -260,6 +260,6 @@ func (cluster *openshiftCluster) tearDown(c *check.C) {
 	}
 	if cluster.dockerDir != "" {
 		err := os.RemoveAll(cluster.dockerDir)
-		c.Assert(err, check.IsNil)
+		require.NoError(t, err)
 	}
 }
--- a/integration/openshift_shell_test.go
+++ b/integration/openshift_shell_test.go
@@ -7,7 +7,8 @@ import (
 	"os"
 	"os/exec"

-	"gopkg.in/check.v1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 /*
@@ -20,7 +21,7 @@ To use it, run:

 to start a container, then within the container:

-	SKOPEO_CONTAINER_TESTS=1 PS1='nested> ' go test -tags openshift_shell -timeout=24h ./integration -v -check.v -check.vv -check.f='CopySuite.TestRunShell'
+	SKOPEO_CONTAINER_TESTS=1 PS1='nested> ' go test -tags openshift_shell -timeout=24h ./integration -v -run='copySuite.TestRunShell'

 An example of what can be done within the container:

@@ -33,13 +34,14 @@ An example of what can be done within the container:
 	curl -L -v 'http://localhost:5000/v2/myns/personal/manifests/personal' --header 'Authorization: Bearer $token_from_oauth'
 	curl -L -v 'http://localhost:5000/extensions/v2/myns/personal/signatures/$manifest_digest' --header 'Authorization: Bearer $token_from_oauth'
 */
-func (s *CopySuite) TestRunShell(c *check.C) {
+func (s *copySuite) TestRunShell() {
+	t := s.T()
 	cmd := exec.Command("bash", "-i")
 	tty, err := os.OpenFile("/dev/tty", os.O_RDWR, 0)
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	cmd.Stdin = tty
 	cmd.Stdout = tty
 	cmd.Stderr = tty
 	err = cmd.Run()
-	c.Assert(err, check.IsNil)
+	assert.NoError(t, err)
 }
--- a/integration/procutils.go
+++ b/integration/procutils.go
@@ -7,6 +7,6 @@ import (
 	"os/exec"
 )

-// cmdLifecycleToParentIfPossible tries to exit if the parent process exits (only works on Linux)
+// cmdLifecycleToParentIfPossible tries to exit if the parent process exits (only works on Linux).
 func cmdLifecycleToParentIfPossible(c *exec.Cmd) {
 }
--- a/integration/proxy_test.go
+++ b/integration/proxy_test.go
@@ -9,16 +9,18 @@ import (
 	"os/exec"
 	"strings"
 	"syscall"
+	"testing"
 	"time"

-	"gopkg.in/check.v1"
-
 	"github.com/containers/image/v5/manifest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/suite"
 )

 // This image is known to be x86_64 only right now
-const knownNotManifestListedImage_x8664 = "docker://quay.io/coreos/11bot"
+const knownNotManifestListedImageX8664 = "docker://quay.io/coreos/11bot"

 // knownNotExtantImage would be very surprising if it did exist
 const knownNotExtantImage = "docker://quay.io/centos/centos:opensusewindowsubuntu"
@@ -32,7 +34,7 @@ type request struct {
 	// Method is the name of the function
 	Method string `json:"method"`
 	// Args is the arguments (parsed inside the function)
-	Args []interface{} `json:"args"`
+	Args []any `json:"args"`
 }

 // reply is copied from proxy.go
@@ -40,7 +42,7 @@ type reply struct {
 	// Success is true if and only if the call succeeded.
 	Success bool `json:"success"`
 	// Value is an arbitrary value (or values, as array/map) returned from the call.
-	Value interface{} `json:"value"`
+	Value any `json:"value"`
 	// PipeID is an index into open pipes, and should be passed to FinishPipe
 	PipeID uint32 `json:"pipeid"`
 	// Error should be non-empty if Success == false
@@ -60,7 +62,7 @@ type pipefd struct {
 	fd *os.File
 }

-func (p *proxy) call(method string, args []interface{}) (rval interface{}, fd *pipefd, err error) {
+func (p *proxy) call(method string, args []any) (rval any, fd *pipefd, err error) {
 	req := request{
 		Method: method,
 		Args:   args,
@@ -81,7 +83,7 @@ func (p *proxy) call(method string, args []interface{}) (rval interface{}, fd *p
 	replybuf := make([]byte, maxMsgSize)
 	n, oobn, _, _, err := p.c.ReadMsgUnix(replybuf, oob)
 	if err != nil {
-		err = fmt.Errorf("reading reply: %v", err)
+		err = fmt.Errorf("reading reply: %w", err)
 		return
 	}
 	var reply reply
@@ -99,7 +101,7 @@ func (p *proxy) call(method string, args []interface{}) (rval interface{}, fd *p
 		var scms []syscall.SocketControlMessage
 		scms, err = syscall.ParseSocketControlMessage(oob[:oobn])
 		if err != nil {
-			err = fmt.Errorf("failed to parse control message: %v", err)
+			err = fmt.Errorf("failed to parse control message: %w", err)
 			return
 		}
 		if len(scms) != 1 {
@@ -109,7 +111,7 @@ func (p *proxy) call(method string, args []interface{}) (rval interface{}, fd *p
 		var fds []int
 		fds, err = syscall.ParseUnixRights(&scms[0])
 		if err != nil {
-			err = fmt.Errorf("failed to parse unix rights: %v", err)
+			err = fmt.Errorf("failed to parse unix rights: %w", err)
 			return
 		}
 		fd = &pipefd{
@@ -122,7 +124,7 @@ func (p *proxy) call(method string, args []interface{}) (rval interface{}, fd *p
 	return
 }

-func (p *proxy) callNoFd(method string, args []interface{}) (rval interface{}, err error) {
+func (p *proxy) callNoFd(method string, args []any) (rval any, err error) {
 	var fd *pipefd
 	rval, fd, err = p.call(method, args)
 	if err != nil {
@@ -135,7 +137,7 @@ func (p *proxy) callNoFd(method string, args []interface{}) (rval interface{}, e
 	return rval, nil
 }

-func (p *proxy) callReadAllBytes(method string, args []interface{}) (rval interface{}, buf []byte, err error) {
+func (p *proxy) callReadAllBytes(method string, args []any) (rval any, buf []byte, err error) {
 	var fd *pipefd
 	rval, fd, err = p.call(method, args)
 	if err != nil {
@@ -153,7 +155,7 @@ func (p *proxy) callReadAllBytes(method string, args []interface{}) (rval interf
 			err:     err,
 		}
 	}()
-	_, err = p.callNoFd("FinishPipe", []interface{}{fd.id})
+	_, err = p.callNoFd("FinishPipe", []any{fd.id})
 	if err != nil {
 		return
 	}
@@ -214,17 +216,12 @@ func newProxy() (*proxy, error) {
 	return p, nil
 }

-func init() {
-	check.Suite(&ProxySuite{})
+func TestProxy(t *testing.T) {
+	suite.Run(t, &proxySuite{})
 }

-type ProxySuite struct {
-}
-
-func (s *ProxySuite) SetUpSuite(c *check.C) {
-}
-
-func (s *ProxySuite) TearDownSuite(c *check.C) {
+type proxySuite struct {
+	suite.Suite
 }

 type byteFetch struct {
@@ -233,7 +230,7 @@ type byteFetch struct {
 }

 func runTestGetManifestAndConfig(p *proxy, img string) error {
-	v, err := p.callNoFd("OpenImage", []interface{}{knownNotManifestListedImage_x8664})
+	v, err := p.callNoFd("OpenImage", []any{img})
 	if err != nil {
 		return err
 	}
@@ -242,13 +239,13 @@ func runTestGetManifestAndConfig(p *proxy, img string) error {
 	if !ok {
 		return fmt.Errorf("OpenImage return value is %T", v)
 	}
-	imgid := uint32(imgidv)
+	imgid := uint64(imgidv)
 	if imgid == 0 {
 		return fmt.Errorf("got zero from expected image")
 	}

 	// Also verify the optional path
-	v, err = p.callNoFd("OpenImageOptional", []interface{}{knownNotManifestListedImage_x8664})
+	v, err = p.callNoFd("OpenImageOptional", []any{img})
 	if err != nil {
 		return err
 	}
@@ -257,17 +254,17 @@ func runTestGetManifestAndConfig(p *proxy, img string) error {
 	if !ok {
 		return fmt.Errorf("OpenImageOptional return value is %T", v)
 	}
-	imgid2 := uint32(imgidv)
+	imgid2 := uint64(imgidv)
 	if imgid2 == 0 {
 		return fmt.Errorf("got zero from expected image")
 	}

-	_, err = p.callNoFd("CloseImage", []interface{}{imgid2})
+	_, err = p.callNoFd("CloseImage", []any{imgid2})
 	if err != nil {
 		return err
 	}

-	_, manifestBytes, err := p.callReadAllBytes("GetManifest", []interface{}{imgid})
+	_, manifestBytes, err := p.callReadAllBytes("GetManifest", []any{imgid})
 	if err != nil {
 		return err
 	}
@@ -276,7 +273,7 @@ func runTestGetManifestAndConfig(p *proxy, img string) error {
 		return err
 	}

-	_, configBytes, err := p.callReadAllBytes("GetFullConfig", []interface{}{imgid})
+	_, configBytes, err := p.callReadAllBytes("GetFullConfig", []any{imgid})
 	if err != nil {
 		return err
 	}
@@ -295,7 +292,7 @@ func runTestGetManifestAndConfig(p *proxy, img string) error {
 	}

 	// Also test this legacy interface
-	_, ctrconfigBytes, err := p.callReadAllBytes("GetConfig", []interface{}{imgid})
+	_, ctrconfigBytes, err := p.callReadAllBytes("GetConfig", []any{imgid})
 	if err != nil {
 		return err
 	}
@@ -310,7 +307,7 @@ func runTestGetManifestAndConfig(p *proxy, img string) error {
 		return fmt.Errorf("No CMD or ENTRYPOINT set")
 	}

-	_, err = p.callNoFd("CloseImage", []interface{}{imgid})
+	_, err = p.callNoFd("CloseImage", []any{imgid})
 	if err != nil {
 		return err
 	}
@@ -319,7 +316,7 @@ func runTestGetManifestAndConfig(p *proxy, img string) error {
 }

 func runTestOpenImageOptionalNotFound(p *proxy, img string) error {
-	v, err := p.callNoFd("OpenImageOptional", []interface{}{img})
+	v, err := p.callNoFd("OpenImageOptional", []any{img})
 	if err != nil {
 		return err
 	}
@@ -328,32 +325,33 @@ func runTestOpenImageOptionalNotFound(p *proxy, img string) error {
 	if !ok {
 		return fmt.Errorf("OpenImageOptional return value is %T", v)
 	}
-	imgid := uint32(imgidv)
+	imgid := uint64(imgidv)
 	if imgid != 0 {
 		return fmt.Errorf("Unexpected optional image id %v", imgid)
 	}
 	return nil
 }

-func (s *ProxySuite) TestProxy(c *check.C) {
+func (s *proxySuite) TestProxy() {
+	t := s.T()
 	p, err := newProxy()
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

-	err = runTestGetManifestAndConfig(p, knownNotManifestListedImage_x8664)
+	err = runTestGetManifestAndConfig(p, knownNotManifestListedImageX8664)
 	if err != nil {
-		err = fmt.Errorf("Testing image %s: %v", knownNotManifestListedImage_x8664, err)
+		err = fmt.Errorf("Testing image %s: %v", knownNotManifestListedImageX8664, err)
 	}
-	c.Assert(err, check.IsNil)
+	assert.NoError(t, err)

 	err = runTestGetManifestAndConfig(p, knownListImage)
 	if err != nil {
 		err = fmt.Errorf("Testing image %s: %v", knownListImage, err)
 	}
-	c.Assert(err, check.IsNil)
+	assert.NoError(t, err)

 	err = runTestOpenImageOptionalNotFound(p, knownNotExtantImage)
 	if err != nil {
 		err = fmt.Errorf("Testing optional image %s: %v", knownNotExtantImage, err)
 	}
-	c.Assert(err, check.IsNil)
+	assert.NoError(t, err)
 }
--- a/integration/registry.go
+++ b/integration/registry.go
@@ -6,9 +6,10 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"testing"
 	"time"

-	"gopkg.in/check.v1"
+	"github.com/stretchr/testify/require"
 )

 const (
@@ -24,9 +25,9 @@ type testRegistryV2 struct {
 	email    string
 }

-func setupRegistryV2At(c *check.C, url string, auth, schema1 bool) *testRegistryV2 {
-	reg, err := newTestRegistryV2At(c, url, auth, schema1)
-	c.Assert(err, check.IsNil)
+func setupRegistryV2At(t *testing.T, url string, auth, schema1 bool) *testRegistryV2 {
+	reg, err := newTestRegistryV2At(t, url, auth, schema1)
+	require.NoError(t, err)

 	// Wait for registry to be ready to serve requests.
 	for i := 0; i != 50; i++ {
@@ -37,13 +38,13 @@ func setupRegistryV2At(c *check.C, url string, auth, schema1 bool) *testRegistry
 	}

 	if err != nil {
-		c.Fatal("Timeout waiting for test registry to become available")
+		t.Fatal("Timeout waiting for test registry to become available")
 	}
 	return reg
 }

-func newTestRegistryV2At(c *check.C, url string, auth, schema1 bool) (*testRegistryV2, error) {
-	tmp := c.MkDir()
+func newTestRegistryV2At(t *testing.T, url string, auth, schema1 bool) (*testRegistryV2, error) {
+	tmp := t.TempDir()
 	template := `version: 0.1
 loglevel: debug
 storage:
@@ -94,10 +95,10 @@ compatibility:
 		cmd = exec.Command(binaryV2, "serve", confPath)
 	}

-	consumeAndLogOutputs(c, fmt.Sprintf("registry-%s", url), cmd)
+	consumeAndLogOutputs(t, fmt.Sprintf("registry-%s", url), cmd)
 	if err := cmd.Start(); err != nil {
 		if os.IsNotExist(err) {
-			c.Skip(err.Error())
+			t.Skip(err.Error())
 		}
 		return nil, err
 	}
@@ -110,9 +111,9 @@ compatibility:
 	}, nil
 }

-func (t *testRegistryV2) Ping() error {
+func (r *testRegistryV2) Ping() error {
 	// We always ping through HTTP for our test registry.
-	resp, err := http.Get(fmt.Sprintf("http://%s/v2/", t.url))
+	resp, err := http.Get(fmt.Sprintf("http://%s/v2/", r.url))
 	if err != nil {
 		return err
 	}
@@ -123,8 +124,8 @@ func (t *testRegistryV2) Ping() error {
 	return nil
 }

-func (t *testRegistryV2) tearDown(c *check.C) {
+func (r *testRegistryV2) tearDown() {
 	// It’s undocumented what Kill() returns if the process has terminated,
 	// so we couldn’t check just for that. This is running in a container anyway…
-	_ = t.cmd.Process.Kill()
+	_ = r.cmd.Process.Kill()
 }
--- a/integration/signing_test.go
+++ b/integration/signing_test.go
@@ -6,23 +6,28 @@ import (
 	"os"
 	"os/exec"
 	"strings"
+	"testing"

 	"github.com/containers/image/v5/signature"
-	"gopkg.in/check.v1"
+	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/suite"
 )

 const (
 	gpgBinary = "gpg"
 )

-func init() {
-	check.Suite(&SigningSuite{})
+func TestSigning(t *testing.T) {
+	suite.Run(t, &signingSuite{})
 }

-type SigningSuite struct {
+type signingSuite struct {
+	suite.Suite
 	fingerprint string
 }

+var _ = suite.SetupAllSuite(&signingSuite{})
+
 func findFingerprint(lineBytes []byte) (string, error) {
 	lines := string(lineBytes)
 	for _, line := range strings.Split(lines, "\n") {
@@ -34,43 +39,41 @@ func findFingerprint(lineBytes []byte) (string, error) {
 	return "", errors.New("No fingerprint found")
 }

-func (s *SigningSuite) SetUpSuite(c *check.C) {
+func (s *signingSuite) SetupSuite() {
+	t := s.T()
 	_, err := exec.LookPath(skopeoBinary)
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

-	gpgHome := c.MkDir()
-	os.Setenv("GNUPGHOME", gpgHome)
+	gpgHome := t.TempDir()
+	t.Setenv("GNUPGHOME", gpgHome)

-	runCommandWithInput(c, "Key-Type: RSA\nName-Real: Testing user\n%no-protection\n%commit\n", gpgBinary, "--homedir", gpgHome, "--batch", "--gen-key")
+	runCommandWithInput(t, "Key-Type: RSA\nName-Real: Testing user\n%no-protection\n%commit\n", gpgBinary, "--homedir", gpgHome, "--batch", "--gen-key")

 	lines, err := exec.Command(gpgBinary, "--homedir", gpgHome, "--with-colons", "--no-permission-warning", "--fingerprint").Output()
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	s.fingerprint, err = findFingerprint(lines)
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 }

-func (s *SigningSuite) TearDownSuite(c *check.C) {
-	os.Unsetenv("GNUPGHOME")
-}
-
-func (s *SigningSuite) TestSignVerifySmoke(c *check.C) {
+func (s *signingSuite) TestSignVerifySmoke() {
+	t := s.T()
 	mech, _, err := signature.NewEphemeralGPGSigningMechanism([]byte{})
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	defer mech.Close()
 	if err := mech.SupportsSigning(); err != nil { // FIXME? Test that verification and policy enforcement works, using signatures from fixtures
-		c.Skip(fmt.Sprintf("Signing not supported: %v", err))
+		t.Skipf("Signing not supported: %v", err)
 	}

 	manifestPath := "fixtures/image.manifest.json"
 	dockerReference := "testing/smoketest"

 	sigOutput, err := os.CreateTemp("", "sig")
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	defer os.Remove(sigOutput.Name())
-	assertSkopeoSucceeds(c, "^$", "standalone-sign", "-o", sigOutput.Name(),
+	assertSkopeoSucceeds(t, "^$", "standalone-sign", "-o", sigOutput.Name(),
 		manifestPath, dockerReference, s.fingerprint)

-	expected := fmt.Sprintf("^Signature verified, digest %s\n$", TestImageManifestDigest)
-	assertSkopeoSucceeds(c, expected, "standalone-verify", manifestPath,
+	expected := fmt.Sprintf("^Signature verified using fingerprint %s, digest %s\n$", s.fingerprint, TestImageManifestDigest)
+	assertSkopeoSucceeds(t, expected, "standalone-verify", manifestPath,
 		dockerReference, s.fingerprint, sigOutput.Name())
 }
--- a/integration/sync_test.go
+++ b/integration/sync_test.go
@@ -9,54 +9,63 @@ import (
 	"path/filepath"
 	"regexp"
 	"strings"
+	"testing"

 	"github.com/containers/image/v5/docker"
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/types"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
-	"gopkg.in/check.v1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/suite"
 )

 const (
 	// A repository with a path with multiple components in it which
 	// contains multiple tags, preferably with some tags pointing to
 	// manifest lists, and with some tags that don't.
-	pullableRepo = "k8s.gcr.io/coredns/coredns"
+	pullableRepo = "registry.k8s.io/coredns/coredns"
 	// A tagged image in the repository that we can inspect and copy.
-	pullableTaggedImage = "k8s.gcr.io/coredns/coredns:v1.6.6"
+	pullableTaggedImage = "registry.k8s.io/coredns/coredns:v1.6.6"
 	// A tagged manifest list in the repository that we can inspect and copy.
-	pullableTaggedManifestList = "k8s.gcr.io/coredns/coredns:v1.8.0"
+	pullableTaggedManifestList = "registry.k8s.io/coredns/coredns:v1.8.0"
 	// A repository containing multiple tags, some of which are for
 	// manifest lists, and which includes a "latest" tag.  We specify the
 	// name here without a tag.
-	pullableRepoWithLatestTag = "k8s.gcr.io/pause"
+	pullableRepoWithLatestTag = "registry.k8s.io/pause"
 )

-func init() {
-	check.Suite(&SyncSuite{})
+func TestSync(t *testing.T) {
+	suite.Run(t, &syncSuite{})
 }

-type SyncSuite struct {
+type syncSuite struct {
+	suite.Suite
 	cluster  *openshiftCluster
 	registry *testRegistryV2
 }

-func (s *SyncSuite) SetUpSuite(c *check.C) {
+var _ = suite.SetupAllSuite(&syncSuite{})
+var _ = suite.TearDownAllSuite(&syncSuite{})
+
+func (s *syncSuite) SetupSuite() {
+	t := s.T()
+
 	const registryAuth = false
 	const registrySchema1 = false

 	if os.Getenv("SKOPEO_LOCAL_TESTS") == "1" {
-		c.Log("Running tests without a container")
+		t.Log("Running tests without a container")
 		fmt.Printf("NOTE: tests requires a V2 registry at url=%s, with auth=%t, schema1=%t \n", v2DockerRegistryURL, registryAuth, registrySchema1)
 		return
 	}

 	if os.Getenv("SKOPEO_CONTAINER_TESTS") != "1" {
-		c.Skip("Not running in a container, refusing to affect user state")
+		t.Skip("Not running in a container, refusing to affect user state")
 	}

-	s.cluster = startOpenshiftCluster(c) // FIXME: Set up TLS for the docker registry port instead of using "--tls-verify=false" all over the place.
+	s.cluster = startOpenshiftCluster(t) // FIXME: Set up TLS for the docker registry port instead of using "--tls-verify=false" all over the place.

 	for _, stream := range []string{"unsigned", "personal", "official", "naming", "cosigned", "compression", "schema1", "schema2"} {
 		isJSON := fmt.Sprintf(`{
@@ -67,41 +76,42 @@ func (s *SyncSuite) SetUpSuite(c *check.C) {
 			},
 			"spec": {}
 		}`, stream)
-		runCommandWithInput(c, isJSON, "oc", "create", "-f", "-")
+		runCommandWithInput(t, isJSON, "oc", "create", "-f", "-")
 	}

 	// FIXME: Set up TLS for the docker registry port instead of using "--tls-verify=false" all over the place.
-	s.registry = setupRegistryV2At(c, v2DockerRegistryURL, registryAuth, registrySchema1)
+	s.registry = setupRegistryV2At(t, v2DockerRegistryURL, registryAuth, registrySchema1)

-	gpgHome := c.MkDir()
-	os.Setenv("GNUPGHOME", gpgHome)
+	gpgHome := t.TempDir()
+	t.Setenv("GNUPGHOME", gpgHome)

 	for _, key := range []string{"personal", "official"} {
 		batchInput := fmt.Sprintf("Key-Type: RSA\nName-Real: Test key - %s\nName-email: %s@example.com\n%%no-protection\n%%commit\n",
 			key, key)
-		runCommandWithInput(c, batchInput, gpgBinary, "--batch", "--gen-key")
+		runCommandWithInput(t, batchInput, gpgBinary, "--batch", "--gen-key")

-		out := combinedOutputOfCommand(c, gpgBinary, "--armor", "--export", fmt.Sprintf("%s@example.com", key))
+		out := combinedOutputOfCommand(t, gpgBinary, "--armor", "--export", fmt.Sprintf("%s@example.com", key))
 		err := os.WriteFile(filepath.Join(gpgHome, fmt.Sprintf("%s-pubkey.gpg", key)),
 			[]byte(out), 0600)
-		c.Assert(err, check.IsNil)
+		require.NoError(t, err)
 	}
 }

-func (s *SyncSuite) TearDownSuite(c *check.C) {
+func (s *syncSuite) TearDownSuite() {
+	t := s.T()
 	if os.Getenv("SKOPEO_LOCAL_TESTS") == "1" {
 		return
 	}

 	if s.registry != nil {
-		s.registry.tearDown(c)
+		s.registry.tearDown()
 	}
 	if s.cluster != nil {
-		s.cluster.tearDown(c)
+		s.cluster.tearDown(t)
 	}
 }

-func assertNumberOfManifestsInSubdirs(c *check.C, dir string, expectedCount int) {
+func assertNumberOfManifestsInSubdirs(t *testing.T, dir string, expectedCount int) {
 	nManifests := 0
 	err := filepath.WalkDir(dir, func(path string, d fs.DirEntry, err error) error {
 		if err != nil {
@@ -113,156 +123,163 @@ func assertNumberOfManifestsInSubdirs(c *check.C, dir string, expectedCount int)
 		}
 		return nil
 	})
-	c.Assert(err, check.IsNil)
-	c.Assert(nManifests, check.Equals, expectedCount)
+	require.NoError(t, err)
+	assert.Equal(t, expectedCount, nManifests)
 }

-func (s *SyncSuite) TestDocker2DirTagged(c *check.C) {
-	tmpDir := c.MkDir()
+func (s *syncSuite) TestDocker2DirTagged() {
+	t := s.T()
+	tmpDir := t.TempDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableTaggedImage
 	imageRef, err := docker.ParseReference(fmt.Sprintf("//%s", image))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	imagePath := imageRef.DockerReference().String()

 	dir1 := path.Join(tmpDir, "dir1")
 	dir2 := path.Join(tmpDir, "dir2")

 	// sync docker => dir
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "docker", "--dest", "dir", image, dir1)
+	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--src", "docker", "--dest", "dir", image, dir1)
 	_, err = os.Stat(path.Join(dir1, imagePath, "manifest.json"))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

 	// copy docker => dir
-	assertSkopeoSucceeds(c, "", "copy", "docker://"+image, "dir:"+dir2)
+	assertSkopeoSucceeds(t, "", "copy", "docker://"+image, "dir:"+dir2)
 	_, err = os.Stat(path.Join(dir2, "manifest.json"))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

-	out := combinedOutputOfCommand(c, "diff", "-urN", path.Join(dir1, imagePath), dir2)
-	c.Assert(out, check.Equals, "")
+	out := combinedOutputOfCommand(t, "diff", "-urN", path.Join(dir1, imagePath), dir2)
+	assert.Equal(t, "", out)
 }

-func (s *SyncSuite) TestDocker2DirTaggedAll(c *check.C) {
-	tmpDir := c.MkDir()
+func (s *syncSuite) TestDocker2DirTaggedAll() {
+	t := s.T()
+	tmpDir := t.TempDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableTaggedManifestList
 	imageRef, err := docker.ParseReference(fmt.Sprintf("//%s", image))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	imagePath := imageRef.DockerReference().String()

 	dir1 := path.Join(tmpDir, "dir1")
 	dir2 := path.Join(tmpDir, "dir2")

 	// sync docker => dir
-	assertSkopeoSucceeds(c, "", "sync", "--all", "--scoped", "--src", "docker", "--dest", "dir", image, dir1)
+	assertSkopeoSucceeds(t, "", "sync", "--all", "--scoped", "--src", "docker", "--dest", "dir", image, dir1)
 	_, err = os.Stat(path.Join(dir1, imagePath, "manifest.json"))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

 	// copy docker => dir
-	assertSkopeoSucceeds(c, "", "copy", "--all", "docker://"+image, "dir:"+dir2)
+	assertSkopeoSucceeds(t, "", "copy", "--all", "docker://"+image, "dir:"+dir2)
 	_, err = os.Stat(path.Join(dir2, "manifest.json"))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

-	out := combinedOutputOfCommand(c, "diff", "-urN", path.Join(dir1, imagePath), dir2)
-	c.Assert(out, check.Equals, "")
+	out := combinedOutputOfCommand(t, "diff", "-urN", path.Join(dir1, imagePath), dir2)
+	assert.Equal(t, "", out)
 }

-func (s *SyncSuite) TestPreserveDigests(c *check.C) {
-	tmpDir := c.MkDir()
+func (s *syncSuite) TestPreserveDigests() {
+	t := s.T()
+	tmpDir := t.TempDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableTaggedManifestList

 	// copy docker => dir
-	assertSkopeoSucceeds(c, "", "copy", "--all", "--preserve-digests", "docker://"+image, "dir:"+tmpDir)
+	assertSkopeoSucceeds(t, "", "copy", "--all", "--preserve-digests", "docker://"+image, "dir:"+tmpDir)
 	_, err := os.Stat(path.Join(tmpDir, "manifest.json"))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

-	assertSkopeoFails(c, ".*Instructed to preserve digests.*", "copy", "--all", "--preserve-digests", "--format=oci", "docker://"+image, "dir:"+tmpDir)
+	assertSkopeoFails(t, ".*Instructed to preserve digests.*", "copy", "--all", "--preserve-digests", "--format=oci", "docker://"+image, "dir:"+tmpDir)
 }

-func (s *SyncSuite) TestScoped(c *check.C) {
+func (s *syncSuite) TestScoped() {
+	t := s.T()
 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableTaggedImage
 	imageRef, err := docker.ParseReference(fmt.Sprintf("//%s", image))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	imagePath := imageRef.DockerReference().String()

-	dir1 := c.MkDir()
-	assertSkopeoSucceeds(c, "", "sync", "--src", "docker", "--dest", "dir", image, dir1)
+	dir1 := t.TempDir()
+	assertSkopeoSucceeds(t, "", "sync", "--src", "docker", "--dest", "dir", image, dir1)
 	_, err = os.Stat(path.Join(dir1, path.Base(imagePath), "manifest.json"))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "docker", "--dest", "dir", image, dir1)
+	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--src", "docker", "--dest", "dir", image, dir1)
 	_, err = os.Stat(path.Join(dir1, imagePath, "manifest.json"))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 }

-func (s *SyncSuite) TestDirIsNotOverwritten(c *check.C) {
+func (s *syncSuite) TestDirIsNotOverwritten() {
+	t := s.T()
 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableRepoWithLatestTag
 	imageRef, err := docker.ParseReference(fmt.Sprintf("//%s", image))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	imagePath := imageRef.DockerReference().String()

 	// make a copy of the image in the local registry
-	assertSkopeoSucceeds(c, "", "copy", "--dest-tls-verify=false", "docker://"+image, "docker://"+path.Join(v2DockerRegistryURL, reference.Path(imageRef.DockerReference())))
+	assertSkopeoSucceeds(t, "", "copy", "--dest-tls-verify=false", "docker://"+image, "docker://"+path.Join(v2DockerRegistryURL, reference.Path(imageRef.DockerReference())))

 	//sync upstream image to dir, not scoped
-	dir1 := c.MkDir()
-	assertSkopeoSucceeds(c, "", "sync", "--src", "docker", "--dest", "dir", image, dir1)
+	dir1 := t.TempDir()
+	assertSkopeoSucceeds(t, "", "sync", "--src", "docker", "--dest", "dir", image, dir1)
 	_, err = os.Stat(path.Join(dir1, path.Base(imagePath), "manifest.json"))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

 	//sync local registry image to dir, not scoped
-	assertSkopeoFails(c, ".*Refusing to overwrite destination directory.*", "sync", "--src-tls-verify=false", "--src", "docker", "--dest", "dir", path.Join(v2DockerRegistryURL, reference.Path(imageRef.DockerReference())), dir1)
+	assertSkopeoFails(t, ".*Refusing to overwrite destination directory.*", "sync", "--src-tls-verify=false", "--src", "docker", "--dest", "dir", path.Join(v2DockerRegistryURL, reference.Path(imageRef.DockerReference())), dir1)

 	//sync local registry image to dir, scoped
 	imageRef, err = docker.ParseReference(fmt.Sprintf("//%s", path.Join(v2DockerRegistryURL, reference.Path(imageRef.DockerReference()))))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	imagePath = imageRef.DockerReference().String()
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src-tls-verify=false", "--src", "docker", "--dest", "dir", path.Join(v2DockerRegistryURL, reference.Path(imageRef.DockerReference())), dir1)
+	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--src-tls-verify=false", "--src", "docker", "--dest", "dir", path.Join(v2DockerRegistryURL, reference.Path(imageRef.DockerReference())), dir1)
 	_, err = os.Stat(path.Join(dir1, imagePath, "manifest.json"))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 }

-func (s *SyncSuite) TestDocker2DirUntagged(c *check.C) {
-	tmpDir := c.MkDir()
+func (s *syncSuite) TestDocker2DirUntagged() {
+	t := s.T()
+	tmpDir := t.TempDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableRepo
 	imageRef, err := docker.ParseReference(fmt.Sprintf("//%s", image))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	imagePath := imageRef.DockerReference().String()

 	dir1 := path.Join(tmpDir, "dir1")
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "docker", "--dest", "dir", image, dir1)
+	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--src", "docker", "--dest", "dir", image, dir1)

 	sysCtx := types.SystemContext{}
 	tags, err := docker.GetRepositoryTags(context.Background(), &sysCtx, imageRef)
-	c.Assert(err, check.IsNil)
-	c.Check(len(tags), check.Not(check.Equals), 0)
+	require.NoError(t, err)
+	assert.NotZero(t, len(tags))

 	nManifests, err := filepath.Glob(path.Join(dir1, path.Dir(imagePath), "*", "manifest.json"))
-	c.Assert(err, check.IsNil)
-	c.Assert(len(nManifests), check.Equals, len(tags))
+	require.NoError(t, err)
+	assert.Len(t, nManifests, len(tags))
 }

-func (s *SyncSuite) TestYamlUntagged(c *check.C) {
-	tmpDir := c.MkDir()
+func (s *syncSuite) TestYamlUntagged() {
+	t := s.T()
+	tmpDir := t.TempDir()
 	dir1 := path.Join(tmpDir, "dir1")

 	image := pullableRepo
 	imageRef, err := docker.ParseReference(fmt.Sprintf("//%s", image))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	imagePath := imageRef.DockerReference().Name()

 	sysCtx := types.SystemContext{}
 	tags, err := docker.GetRepositoryTags(context.Background(), &sysCtx, imageRef)
-	c.Assert(err, check.IsNil)
-	c.Check(len(tags), check.Not(check.Equals), 0)
+	require.NoError(t, err)
+	assert.NotZero(t, len(tags))

 	yamlConfig := fmt.Sprintf(`
 %s:
@@ -273,8 +290,8 @@ func (s *SyncSuite) TestYamlUntagged(c *check.C) {
 	// sync to the local registry
 	yamlFile := path.Join(tmpDir, "registries.yaml")
 	err = os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
-	c.Assert(err, check.IsNil)
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "docker", "--dest-tls-verify=false", yamlFile, v2DockerRegistryURL)
+	require.NoError(t, err)
+	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--src", "yaml", "--dest", "docker", "--dest-tls-verify=false", yamlFile, v2DockerRegistryURL)
 	// sync back from local registry to a folder
 	os.Remove(yamlFile)
 	yamlConfig = fmt.Sprintf(`
@@ -285,64 +302,67 @@ func (s *SyncSuite) TestYamlUntagged(c *check.C) {
 `, v2DockerRegistryURL, imagePath)

 	err = os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
-	c.Assert(err, check.IsNil)
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
+	require.NoError(t, err)
+	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)

 	sysCtx = types.SystemContext{
 		DockerInsecureSkipTLSVerify: types.NewOptionalBool(true),
 	}
 	localImageRef, err := docker.ParseReference(fmt.Sprintf("//%s/%s", v2DockerRegistryURL, imagePath))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	localTags, err := docker.GetRepositoryTags(context.Background(), &sysCtx, localImageRef)
-	c.Assert(err, check.IsNil)
-	c.Check(len(localTags), check.Not(check.Equals), 0)
-	c.Assert(len(localTags), check.Equals, len(tags))
-	assertNumberOfManifestsInSubdirs(c, dir1, len(tags))
+	require.NoError(t, err)
+	assert.NotZero(t, len(localTags))
+	assert.Len(t, localTags, len(tags))
+	assertNumberOfManifestsInSubdirs(t, dir1, len(tags))
 }

-func (s *SyncSuite) TestYamlRegex2Dir(c *check.C) {
-	tmpDir := c.MkDir()
+func (s *syncSuite) TestYamlRegex2Dir() {
+	t := s.T()
+	tmpDir := t.TempDir()
 	dir1 := path.Join(tmpDir, "dir1")

 	yamlConfig := `
-k8s.gcr.io:
+registry.k8s.io:
  images-by-tag-regex:
    pause: ^[12]\.0$  # regex string test
 `
 	// the       ↑    regex strings always matches only 2 images
 	var nTags = 2
-	c.Assert(nTags, check.Not(check.Equals), 0)
+	assert.NotZero(t, nTags)

 	yamlFile := path.Join(tmpDir, "registries.yaml")
 	err := os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
-	c.Assert(err, check.IsNil)
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
-	assertNumberOfManifestsInSubdirs(c, dir1, nTags)
+	require.NoError(t, err)
+	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
+	assertNumberOfManifestsInSubdirs(t, dir1, nTags)
 }

-func (s *SyncSuite) TestYamlDigest2Dir(c *check.C) {
-	tmpDir := c.MkDir()
+func (s *syncSuite) TestYamlDigest2Dir() {
+	t := s.T()
+	tmpDir := t.TempDir()
 	dir1 := path.Join(tmpDir, "dir1")

 	yamlConfig := `
-k8s.gcr.io:
+registry.k8s.io:
  images:
    pause:
    - sha256:59eec8837a4d942cc19a52b8c09ea75121acc38114a2c68b98983ce9356b8610
 `
 	yamlFile := path.Join(tmpDir, "registries.yaml")
 	err := os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
-	c.Assert(err, check.IsNil)
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
-	assertNumberOfManifestsInSubdirs(c, dir1, 1)
+	require.NoError(t, err)
+	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
+	assertNumberOfManifestsInSubdirs(t, dir1, 1)
 }

-func (s *SyncSuite) TestYaml2Dir(c *check.C) {
-	tmpDir := c.MkDir()
+func (s *syncSuite) TestYaml2Dir() {
+	t := s.T()
+	tmpDir := t.TempDir()
 	dir1 := path.Join(tmpDir, "dir1")

 	yamlConfig := `
-k8s.gcr.io:
+registry.k8s.io:
  images:
    coredns/coredns:
      - v1.8.0
@@ -366,25 +386,26 @@ quay.io:
 			nTags++
 		}
 	}
-	c.Assert(nTags, check.Not(check.Equals), 0)
+	assert.NotZero(t, nTags)

 	yamlFile := path.Join(tmpDir, "registries.yaml")
 	err := os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
-	c.Assert(err, check.IsNil)
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
-	assertNumberOfManifestsInSubdirs(c, dir1, nTags)
+	require.NoError(t, err)
+	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
+	assertNumberOfManifestsInSubdirs(t, dir1, nTags)
 }

-func (s *SyncSuite) TestYamlTLSVerify(c *check.C) {
+func (s *syncSuite) TestYamlTLSVerify() {
+	t := s.T()
 	const localRegURL = "docker://" + v2DockerRegistryURL + "/"
-	tmpDir := c.MkDir()
+	tmpDir := t.TempDir()
 	dir1 := path.Join(tmpDir, "dir1")
 	image := pullableRepoWithLatestTag
 	tag := "latest"

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	// copy docker => docker
-	assertSkopeoSucceeds(c, "", "copy", "--dest-tls-verify=false", "docker://"+image+":"+tag, localRegURL+image+":"+tag)
+	assertSkopeoSucceeds(t, "", "copy", "--dest-tls-verify=false", "docker://"+image+":"+tag, localRegURL+image+":"+tag)

 	yamlTemplate := `
 %s:
@@ -396,7 +417,7 @@ func (s *SyncSuite) TestYamlTLSVerify(c *check.C) {
 	testCfg := []struct {
 		tlsVerify string
 		msg       string
-		checker   func(c *check.C, regexp string, args ...string)
+		checker   func(t *testing.T, regexp string, args ...string)
 	}{
 		{
 			tlsVerify: "tls-verify: false",
@@ -420,17 +441,18 @@ func (s *SyncSuite) TestYamlTLSVerify(c *check.C) {
 		yamlConfig := fmt.Sprintf(yamlTemplate, v2DockerRegistryURL, cfg.tlsVerify, image, tag)
 		yamlFile := path.Join(tmpDir, "registries.yaml")
 		err := os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
-		c.Assert(err, check.IsNil)
+		require.NoError(t, err)

-		cfg.checker(c, cfg.msg, "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
+		cfg.checker(t, cfg.msg, "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
 		os.Remove(yamlFile)
 		os.RemoveAll(dir1)
 	}

 }

-func (s *SyncSuite) TestSyncManifestOutput(c *check.C) {
-	tmpDir := c.MkDir()
+func (s *syncSuite) TestSyncManifestOutput() {
+	t := s.T()
+	tmpDir := t.TempDir()

 	destDir1 := filepath.Join(tmpDir, "dest1")
 	destDir2 := filepath.Join(tmpDir, "dest2")
@@ -439,154 +461,162 @@ func (s *SyncSuite) TestSyncManifestOutput(c *check.C) {
 	//Split image:tag path from image URI for manifest comparison
 	imageDir := pullableTaggedImage[strings.LastIndex(pullableTaggedImage, "/")+1:]

-	assertSkopeoSucceeds(c, "", "sync", "--format=oci", "--all", "--src", "docker", "--dest", "dir", pullableTaggedImage, destDir1)
-	verifyManifestMIMEType(c, filepath.Join(destDir1, imageDir), imgspecv1.MediaTypeImageManifest)
-	assertSkopeoSucceeds(c, "", "sync", "--format=v2s2", "--all", "--src", "docker", "--dest", "dir", pullableTaggedImage, destDir2)
-	verifyManifestMIMEType(c, filepath.Join(destDir2, imageDir), manifest.DockerV2Schema2MediaType)
-	assertSkopeoSucceeds(c, "", "sync", "--format=v2s1", "--all", "--src", "docker", "--dest", "dir", pullableTaggedImage, destDir3)
-	verifyManifestMIMEType(c, filepath.Join(destDir3, imageDir), manifest.DockerV2Schema1SignedMediaType)
+	assertSkopeoSucceeds(t, "", "sync", "--format=oci", "--all", "--src", "docker", "--dest", "dir", pullableTaggedImage, destDir1)
+	verifyManifestMIMEType(t, filepath.Join(destDir1, imageDir), imgspecv1.MediaTypeImageManifest)
+	assertSkopeoSucceeds(t, "", "sync", "--format=v2s2", "--all", "--src", "docker", "--dest", "dir", pullableTaggedImage, destDir2)
+	verifyManifestMIMEType(t, filepath.Join(destDir2, imageDir), manifest.DockerV2Schema2MediaType)
+	assertSkopeoSucceeds(t, "", "sync", "--format=v2s1", "--all", "--src", "docker", "--dest", "dir", pullableTaggedImage, destDir3)
+	verifyManifestMIMEType(t, filepath.Join(destDir3, imageDir), manifest.DockerV2Schema1SignedMediaType)
 }

-func (s *SyncSuite) TestDocker2DockerTagged(c *check.C) {
+func (s *syncSuite) TestDocker2DockerTagged() {
+	t := s.T()
 	const localRegURL = "docker://" + v2DockerRegistryURL + "/"

-	tmpDir := c.MkDir()
+	tmpDir := t.TempDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableTaggedImage
 	imageRef, err := docker.ParseReference(fmt.Sprintf("//%s", image))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	imagePath := imageRef.DockerReference().String()

 	dir1 := path.Join(tmpDir, "dir1")
 	dir2 := path.Join(tmpDir, "dir2")

 	// sync docker => docker
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--dest-tls-verify=false", "--src", "docker", "--dest", "docker", image, v2DockerRegistryURL)
+	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--dest-tls-verify=false", "--src", "docker", "--dest", "docker", image, v2DockerRegistryURL)

 	// copy docker => dir
-	assertSkopeoSucceeds(c, "", "copy", "docker://"+image, "dir:"+dir1)
+	assertSkopeoSucceeds(t, "", "copy", "docker://"+image, "dir:"+dir1)
 	_, err = os.Stat(path.Join(dir1, "manifest.json"))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

 	// copy docker => dir
-	assertSkopeoSucceeds(c, "", "copy", "--src-tls-verify=false", localRegURL+imagePath, "dir:"+dir2)
+	assertSkopeoSucceeds(t, "", "copy", "--src-tls-verify=false", localRegURL+imagePath, "dir:"+dir2)
 	_, err = os.Stat(path.Join(dir2, "manifest.json"))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

-	out := combinedOutputOfCommand(c, "diff", "-urN", dir1, dir2)
-	c.Assert(out, check.Equals, "")
+	out := combinedOutputOfCommand(t, "diff", "-urN", dir1, dir2)
+	assert.Equal(t, "", out)
 }

-func (s *SyncSuite) TestDir2DockerTagged(c *check.C) {
+func (s *syncSuite) TestDir2DockerTagged() {
+	t := s.T()
 	const localRegURL = "docker://" + v2DockerRegistryURL + "/"

-	tmpDir := c.MkDir()
+	tmpDir := t.TempDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableRepoWithLatestTag

 	dir1 := path.Join(tmpDir, "dir1")
 	err := os.Mkdir(dir1, 0755)
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	dir2 := path.Join(tmpDir, "dir2")
 	err = os.Mkdir(dir2, 0755)
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

 	// create leading dirs
 	err = os.MkdirAll(path.Dir(path.Join(dir1, image)), 0755)
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

 	// copy docker => dir
-	assertSkopeoSucceeds(c, "", "copy", "docker://"+image, "dir:"+path.Join(dir1, image))
+	assertSkopeoSucceeds(t, "", "copy", "docker://"+image, "dir:"+path.Join(dir1, image))
 	_, err = os.Stat(path.Join(dir1, image, "manifest.json"))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

 	// sync dir => docker
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--dest-tls-verify=false", "--src", "dir", "--dest", "docker", dir1, v2DockerRegistryURL)
+	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--dest-tls-verify=false", "--src", "dir", "--dest", "docker", dir1, v2DockerRegistryURL)

 	// create leading dirs
 	err = os.MkdirAll(path.Dir(path.Join(dir2, image)), 0755)
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

 	// copy docker => dir
-	assertSkopeoSucceeds(c, "", "copy", "--src-tls-verify=false", localRegURL+image, "dir:"+path.Join(dir2, image))
+	assertSkopeoSucceeds(t, "", "copy", "--src-tls-verify=false", localRegURL+image, "dir:"+path.Join(dir2, image))
 	_, err = os.Stat(path.Join(dir2, image, "manifest.json"))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

-	out := combinedOutputOfCommand(c, "diff", "-urN", dir1, dir2)
-	c.Assert(out, check.Equals, "")
+	out := combinedOutputOfCommand(t, "diff", "-urN", dir1, dir2)
+	assert.Equal(t, "", out)
 }

-func (s *SyncSuite) TestFailsWithDir2Dir(c *check.C) {
-	tmpDir := c.MkDir()
+func (s *syncSuite) TestFailsWithDir2Dir() {
+	t := s.T()
+	tmpDir := t.TempDir()

 	dir1 := path.Join(tmpDir, "dir1")
 	dir2 := path.Join(tmpDir, "dir2")

 	// sync dir => dir is not allowed
-	assertSkopeoFails(c, ".*sync from 'dir' to 'dir' not implemented.*", "sync", "--scoped", "--src", "dir", "--dest", "dir", dir1, dir2)
+	assertSkopeoFails(t, ".*sync from 'dir' to 'dir' not implemented.*", "sync", "--scoped", "--src", "dir", "--dest", "dir", dir1, dir2)
 }

-func (s *SyncSuite) TestFailsNoSourceImages(c *check.C) {
-	tmpDir := c.MkDir()
+func (s *syncSuite) TestFailsNoSourceImages() {
+	t := s.T()
+	tmpDir := t.TempDir()

-	assertSkopeoFails(c, ".*No images to sync found in .*",
+	assertSkopeoFails(t, ".*No images to sync found in .*",
 		"sync", "--scoped", "--dest-tls-verify=false", "--src", "dir", "--dest", "docker", tmpDir, v2DockerRegistryURL)

-	assertSkopeoFails(c, ".*Error determining repository tags for repo docker.io/library/hopefully_no_images_will_ever_be_called_like_this: fetching tags list: requested access to the resource is denied.*",
+	assertSkopeoFails(t, ".*Error determining repository tags for repo docker.io/library/hopefully_no_images_will_ever_be_called_like_this: fetching tags list: requested access to the resource is denied.*",
 		"sync", "--scoped", "--dest-tls-verify=false", "--src", "docker", "--dest", "docker", "hopefully_no_images_will_ever_be_called_like_this", v2DockerRegistryURL)
 }

-func (s *SyncSuite) TestFailsWithDockerSourceNoRegistry(c *check.C) {
+func (s *syncSuite) TestFailsWithDockerSourceNoRegistry() {
+	t := s.T()
 	const regURL = "google.com/namespace/imagename"

-	tmpDir := c.MkDir()
+	tmpDir := t.TempDir()

 	//untagged
-	assertSkopeoFails(c, ".*StatusCode: 404.*",
+	assertSkopeoFails(t, ".*StatusCode: 404.*",
 		"sync", "--scoped", "--src", "docker", "--dest", "dir", regURL, tmpDir)

 	//tagged
-	assertSkopeoFails(c, ".*StatusCode: 404.*",
+	assertSkopeoFails(t, ".*StatusCode: 404.*",
 		"sync", "--scoped", "--src", "docker", "--dest", "dir", regURL+":thetag", tmpDir)
 }

-func (s *SyncSuite) TestFailsWithDockerSourceUnauthorized(c *check.C) {
+func (s *syncSuite) TestFailsWithDockerSourceUnauthorized() {
+	t := s.T()
 	const repo = "privateimagenamethatshouldnotbepublic"
-	tmpDir := c.MkDir()
+	tmpDir := t.TempDir()

 	//untagged
-	assertSkopeoFails(c, ".*requested access to the resource is denied.*",
+	assertSkopeoFails(t, ".*requested access to the resource is denied.*",
 		"sync", "--scoped", "--src", "docker", "--dest", "dir", repo, tmpDir)

 	//tagged
-	assertSkopeoFails(c, ".*requested access to the resource is denied.*",
+	assertSkopeoFails(t, ".*requested access to the resource is denied.*",
 		"sync", "--scoped", "--src", "docker", "--dest", "dir", repo+":thetag", tmpDir)
 }

-func (s *SyncSuite) TestFailsWithDockerSourceNotExisting(c *check.C) {
+func (s *syncSuite) TestFailsWithDockerSourceNotExisting() {
+	t := s.T()
 	repo := path.Join(v2DockerRegistryURL, "imagedoesnotexist")
-	tmpDir := c.MkDir()
+	tmpDir := t.TempDir()

 	//untagged
-	assertSkopeoFails(c, ".*repository name not known to registry.*",
+	assertSkopeoFails(t, ".*repository name not known to registry.*",
 		"sync", "--scoped", "--src-tls-verify=false", "--src", "docker", "--dest", "dir", repo, tmpDir)

 	//tagged
-	assertSkopeoFails(c, ".*reading manifest.*",
+	assertSkopeoFails(t, ".*reading manifest.*",
 		"sync", "--scoped", "--src-tls-verify=false", "--src", "docker", "--dest", "dir", repo+":thetag", tmpDir)
 }

-func (s *SyncSuite) TestFailsWithDirSourceNotExisting(c *check.C) {
+func (s *syncSuite) TestFailsWithDirSourceNotExisting() {
+	t := s.T()
 	// Make sure the dir does not exist!
-	tmpDir := c.MkDir()
+	tmpDir := t.TempDir()
 	tmpDir = filepath.Join(tmpDir, "this-does-not-exist")
 	err := os.RemoveAll(tmpDir)
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	_, err = os.Stat(path.Join(tmpDir))
-	c.Check(os.IsNotExist(err), check.Equals, true)
+	assert.True(t, os.IsNotExist(err))

-	assertSkopeoFails(c, ".*no such file or directory.*",
+	assertSkopeoFails(t, ".*no such file or directory.*",
 		"sync", "--scoped", "--dest-tls-verify=false", "--src", "dir", "--dest", "docker", tmpDir, v2DockerRegistryURL)
 }
--- a/integration/utils.go
+++ b/integration/utils.go
@@ -2,38 +2,43 @@ package main

 import (
 	"bytes"
+	"compress/gzip"
+	"encoding/json"
 	"io"
 	"net"
+	"net/netip"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"strings"
+	"testing"
 	"time"

 	"github.com/containers/image/v5/manifest"
-	"gopkg.in/check.v1"
+	"github.com/opencontainers/go-digest"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 const skopeoBinary = "skopeo"
-const decompressDirsBinary = "./decompress-dirs.sh"

 const testFQIN = "docker://quay.io/libpod/busybox" // tag left off on purpose, some tests need to add a special one
 const testFQIN64 = "docker://quay.io/libpod/busybox:amd64"
 const testFQINMultiLayer = "docker://quay.io/libpod/alpine_nginx:latest" // multi-layer

-// consumeAndLogOutputStream takes (f, err) from an exec.*Pipe(), and causes all output to it to be logged to c.
-func consumeAndLogOutputStream(c *check.C, id string, f io.ReadCloser, err error) {
-	c.Assert(err, check.IsNil)
+// consumeAndLogOutputStream takes (f, err) from an exec.*Pipe(), and causes all output to it to be logged to t.
+func consumeAndLogOutputStream(t *testing.T, id string, f io.ReadCloser, err error) {
+	require.NoError(t, err)
 	go func() {
 		defer func() {
 			f.Close()
-			c.Logf("Output %s: Closed", id)
+			t.Logf("Output %s: Closed", id)
 		}()
 		buf := make([]byte, 1024)
 		for {
-			c.Logf("Output %s: waiting", id)
+			t.Logf("Output %s: waiting", id)
 			n, err := f.Read(buf)
-			c.Logf("Output %s: got %d,%#v: %s", id, n, err, strings.TrimSuffix(string(buf[:n]), "\n"))
+			t.Logf("Output %s: got %d,%#v: %s", id, n, err, strings.TrimSuffix(string(buf[:n]), "\n"))
 			if n <= 0 {
 				break
 			}
@@ -41,72 +46,73 @@ func consumeAndLogOutputStream(c *check.C, id string, f io.ReadCloser, err error
 	}()
 }

-// consumeAndLogOutputs causes all output to stdout and stderr from an *exec.Cmd to be logged to c
-func consumeAndLogOutputs(c *check.C, id string, cmd *exec.Cmd) {
+// consumeAndLogOutputs causes all output to stdout and stderr from an *exec.Cmd to be logged to c.
+func consumeAndLogOutputs(t *testing.T, id string, cmd *exec.Cmd) {
 	stdout, err := cmd.StdoutPipe()
-	consumeAndLogOutputStream(c, id+" stdout", stdout, err)
+	consumeAndLogOutputStream(t, id+" stdout", stdout, err)
 	stderr, err := cmd.StderrPipe()
-	consumeAndLogOutputStream(c, id+" stderr", stderr, err)
+	consumeAndLogOutputStream(t, id+" stderr", stderr, err)
 }

 // combinedOutputOfCommand runs a command as if exec.Command().CombinedOutput(), verifies that the exit status is 0, and returns the output,
 // or terminates c on failure.
-func combinedOutputOfCommand(c *check.C, name string, args ...string) string {
-	c.Logf("Running %s %s", name, strings.Join(args, " "))
+func combinedOutputOfCommand(t *testing.T, name string, args ...string) string {
+	t.Logf("Running %s %s", name, strings.Join(args, " "))
 	out, err := exec.Command(name, args...).CombinedOutput()
-	c.Assert(err, check.IsNil, check.Commentf("%s", out))
+	require.NoError(t, err, "%s", out)
 	return string(out)
 }

 // assertSkopeoSucceeds runs a skopeo command as if exec.Command().CombinedOutput, verifies that the exit status is 0,
 // and optionally that the output matches a multi-line regexp if it is nonempty;
 // or terminates c on failure
-func assertSkopeoSucceeds(c *check.C, regexp string, args ...string) {
-	c.Logf("Running %s %s", skopeoBinary, strings.Join(args, " "))
+func assertSkopeoSucceeds(t *testing.T, regexp string, args ...string) {
+	t.Logf("Running %s %s", skopeoBinary, strings.Join(args, " "))
 	out, err := exec.Command(skopeoBinary, args...).CombinedOutput()
-	c.Assert(err, check.IsNil, check.Commentf("%s", out))
+	assert.NoError(t, err, "%s", out)
 	if regexp != "" {
-		c.Assert(string(out), check.Matches, "(?s)"+regexp) // (?s) : '.' will also match newlines
+		assert.Regexp(t, "(?s)"+regexp, string(out)) // (?s) : '.' will also match newlines
 	}
 }

 // assertSkopeoFails runs a skopeo command as if exec.Command().CombinedOutput, verifies that the exit status is 0,
 // and that the output matches a multi-line regexp;
 // or terminates c on failure
-func assertSkopeoFails(c *check.C, regexp string, args ...string) {
-	c.Logf("Running %s %s", skopeoBinary, strings.Join(args, " "))
+func assertSkopeoFails(t *testing.T, regexp string, args ...string) {
+	t.Logf("Running %s %s", skopeoBinary, strings.Join(args, " "))
 	out, err := exec.Command(skopeoBinary, args...).CombinedOutput()
-	c.Assert(err, check.NotNil, check.Commentf("%s", out))
-	c.Assert(string(out), check.Matches, "(?s)"+regexp) // (?s) : '.' will also match newlines
+	assert.Error(t, err, "%s", out)
+	assert.Regexp(t, "(?s)"+regexp, string(out)) // (?s) : '.' will also match newlines
 }

 // runCommandWithInput runs a command as if exec.Command(), sending it the input to stdin,
 // and verifies that the exit status is 0, or terminates c on failure.
-func runCommandWithInput(c *check.C, input string, name string, args ...string) {
+func runCommandWithInput(t *testing.T, input string, name string, args ...string) {
 	cmd := exec.Command(name, args...)
-	runExecCmdWithInput(c, cmd, input)
+	runExecCmdWithInput(t, cmd, input)
 }

 // runExecCmdWithInput runs an exec.Cmd, sending it the input to stdin,
 // and verifies that the exit status is 0, or terminates c on failure.
-func runExecCmdWithInput(c *check.C, cmd *exec.Cmd, input string) {
-	c.Logf("Running %s %s", cmd.Path, strings.Join(cmd.Args, " "))
-	consumeAndLogOutputs(c, cmd.Path+" "+strings.Join(cmd.Args, " "), cmd)
+func runExecCmdWithInput(t *testing.T, cmd *exec.Cmd, input string) {
+	t.Logf("Running %s %s", cmd.Path, strings.Join(cmd.Args, " "))
+	consumeAndLogOutputs(t, cmd.Path+" "+strings.Join(cmd.Args, " "), cmd)
 	stdin, err := cmd.StdinPipe()
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	err = cmd.Start()
-	c.Assert(err, check.IsNil)
-	_, err = stdin.Write([]byte(input))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
+	_, err = io.WriteString(stdin, input)
+	require.NoError(t, err)
 	err = stdin.Close()
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	err = cmd.Wait()
-	c.Assert(err, check.IsNil)
+	assert.NoError(t, err)
 }

 // isPortOpen returns true iff the specified port on localhost is open.
-func isPortOpen(port int) bool {
-	conn, err := net.DialTCP("tcp", nil, &net.TCPAddr{IP: net.IPv4(127, 0, 0, 1), Port: port})
+func isPortOpen(port uint16) bool {
+	ap := netip.AddrPortFrom(netip.AddrFrom4([4]byte{127, 0, 0, 1}), port)
+	conn, err := net.DialTCP("tcp", nil, net.TCPAddrFromAddrPort(ap))
 	if err != nil {
 		return false
 	}
@@ -118,29 +124,29 @@ func isPortOpen(port int) bool {
 // The checking can be aborted by sending a value to the terminate channel, which the caller should
 // always do using
 // defer func() {terminate <- true}()
-func newPortChecker(c *check.C, port int) (portOpen <-chan bool, terminate chan<- bool) {
+func newPortChecker(t *testing.T, port uint16) (portOpen <-chan bool, terminate chan<- bool) {
 	portOpenBidi := make(chan bool)
 	// Buffered, so that sending a terminate request after the goroutine has exited does not block.
 	terminateBidi := make(chan bool, 1)

 	go func() {
 		defer func() {
-			c.Logf("Port checker for port %d exiting", port)
+			t.Logf("Port checker for port %d exiting", port)
 		}()
 		for {
-			c.Logf("Checking for port %d...", port)
+			t.Logf("Checking for port %d...", port)
 			if isPortOpen(port) {
-				c.Logf("Port %d open", port)
+				t.Logf("Port %d open", port)
 				portOpenBidi <- true
 				return
 			}
-			c.Logf("Sleeping for port %d", port)
+			t.Logf("Sleeping for port %d", port)
 			sleepChan := time.After(100 * time.Millisecond)
 			select {
 			case <-sleepChan: // Try again
-				c.Logf("Sleeping for port %d done, will retry", port)
+				t.Logf("Sleeping for port %d done, will retry", port)
 			case <-terminateBidi:
-				c.Logf("Check for port %d terminated", port)
+				t.Logf("Check for port %d terminated", port)
 				return
 			}
 		}
@@ -162,54 +168,124 @@ func modifyEnviron(env []string, name, value string) []string {

 // fileFromFixtureFixture applies edits to inputPath and returns a path to the temporary file.
 // Callers should defer os.Remove(the_returned_path)
-func fileFromFixture(c *check.C, inputPath string, edits map[string]string) string {
+func fileFromFixture(t *testing.T, inputPath string, edits map[string]string) string {
 	contents, err := os.ReadFile(inputPath)
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	for template, value := range edits {
 		updated := bytes.ReplaceAll(contents, []byte(template), []byte(value))
-		c.Assert(bytes.Equal(updated, contents), check.Equals, false, check.Commentf("Replacing %s in %#v failed", template, string(contents))) // Verify that the template has matched something and we are not silently ignoring it.
+		require.NotEqual(t, contents, updated, "Replacing %s in %#v failed", template, string(contents)) // Verify that the template has matched something and we are not silently ignoring it.
 		contents = updated
 	}

 	file, err := os.CreateTemp("", "policy.json")
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	path := file.Name()

 	_, err = file.Write(contents)
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	err = file.Close()
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	return path
 }

-// runDecompressDirs runs decompress-dirs.sh using exec.Command().CombinedOutput, verifies that the exit status is 0,
-// and optionally that the output matches a multi-line regexp if it is nonempty; or terminates c on failure
-func runDecompressDirs(c *check.C, regexp string, args ...string) {
-	c.Logf("Running %s %s", decompressDirsBinary, strings.Join(args, " "))
-	for i, dir := range args {
+// decompressDirs decompresses specified dir:-formatted directories
+func decompressDirs(t *testing.T, dirs ...string) {
+	t.Logf("Decompressing %s", strings.Join(dirs, " "))
+	for i, dir := range dirs {
 		m, err := os.ReadFile(filepath.Join(dir, "manifest.json"))
-		c.Assert(err, check.IsNil)
-		c.Logf("manifest %d before: %s", i+1, string(m))
-	}
-	out, err := exec.Command(decompressDirsBinary, args...).CombinedOutput()
-	c.Assert(err, check.IsNil, check.Commentf("%s", out))
-	for i, dir := range args {
-		if len(out) > 0 {
-			c.Logf("output: %s", out)
-		}
-		m, err := os.ReadFile(filepath.Join(dir, "manifest.json"))
-		c.Assert(err, check.IsNil)
-		c.Logf("manifest %d after: %s", i+1, string(m))
-	}
-	if regexp != "" {
-		c.Assert(string(out), check.Matches, "(?s)"+regexp) // (?s) : '.' will also match newlines
+		require.NoError(t, err)
+		t.Logf("manifest %d before: %s", i+1, string(m))
+
+		decompressDir(t, dir)
+
+		m, err = os.ReadFile(filepath.Join(dir, "manifest.json"))
+		require.NoError(t, err)
+		t.Logf("manifest %d after: %s", i+1, string(m))
 	}
 }

-// Verify manifest in a dir: image at dir is expectedMIMEType.
-func verifyManifestMIMEType(c *check.C, dir string, expectedMIMEType string) {
-	manifestBlob, err := os.ReadFile(filepath.Join(dir, "manifest.json"))
-	c.Assert(err, check.IsNil)
-	mimeType := manifest.GuessMIMEType(manifestBlob)
-	c.Assert(mimeType, check.Equals, expectedMIMEType)
+// getRawMapField assigns a value of rawMap[key] to dest,
+// failing if it does not exist or if it doesn’t have the expected type
+func getRawMapField[T any](t *testing.T, rawMap map[string]any, key string, dest *T) {
+	rawValue, ok := rawMap[key]
+	require.True(t, ok, key)
+	value, ok := rawValue.(T)
+	require.True(t, ok, key, "%#v", value)
+	*dest = value
+}
+
+// decompressDir modifies a dir:-formatted directory to replace gzip-compressed layers with uncompressed variants,
+// and to use a ~canonical formatting of manifest.json.
+func decompressDir(t *testing.T, dir string) {
+	// This is, overall, very dumb; the “obvious” way would be to invoke skopeo to decompress,
+	// or at least to use c/image to parse/format the manifest.
+	//
+	// But this is used to test (aspects of) those code paths… so, it’s acceptable for this to be
+	// dumb and to make assumptions about the data, but it should not share code.
+
+	manifestBlob, err := os.ReadFile(filepath.Join(dir, "manifest.json"))
+	require.NoError(t, err)
+	var rawManifest map[string]any
+	err = json.Unmarshal(manifestBlob, &rawManifest)
+	require.NoError(t, err)
+	var rawLayers []any
+	getRawMapField(t, rawManifest, "layers", &rawLayers)
+	for i, rawLayerValue := range rawLayers {
+		rawLayer, ok := rawLayerValue.(map[string]any)
+		require.True(t, ok)
+		var digestString string
+		getRawMapField(t, rawLayer, "digest", &digestString)
+		compressedDigest, err := digest.Parse(digestString)
+		require.NoError(t, err)
+		if compressedDigest.String() == "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" { // An empty file
+			continue
+		}
+
+		compressedPath := filepath.Join(dir, compressedDigest.Encoded())
+		compressedStream, err := os.Open(compressedPath)
+		require.NoError(t, err)
+		defer compressedStream.Close()
+
+		uncompressedStream, err := gzip.NewReader(compressedStream)
+		if err != nil {
+			continue // Silently assume the layer is not gzip-compressed
+		}
+		tempDest, err := os.CreateTemp(dir, "decompressing")
+		require.NoError(t, err)
+		digester := digest.Canonical.Digester()
+		uncompressedSize, err := io.Copy(tempDest, io.TeeReader(uncompressedStream, digester.Hash()))
+		require.NoError(t, err)
+		err = uncompressedStream.Close()
+		require.NoError(t, err)
+		uncompressedDigest := digester.Digest()
+		uncompressedPath := filepath.Join(dir, uncompressedDigest.Encoded())
+		err = os.Rename(tempDest.Name(), uncompressedPath)
+		require.NoError(t, err)
+		err = os.Remove(compressedPath)
+		require.NoError(t, err)
+
+		rawLayer["digest"] = uncompressedDigest.String()
+		rawLayer["size"] = uncompressedSize
+		var mimeType string
+		getRawMapField(t, rawLayer, "mediaType", &mimeType)
+		if strings.HasSuffix(mimeType, ".gzip") { // This should use CutSuffix with Go ≥1.20
+			rawLayer["mediaType"] = strings.TrimSuffix(mimeType, ".gzip")
+		}
+
+		rawLayers[i] = rawLayer
+	}
+	rawManifest["layers"] = rawLayers
+
+	manifestBlob, err = json.Marshal(rawManifest)
+	require.NoError(t, err)
+	err = os.WriteFile(filepath.Join(dir, "manifest.json"), manifestBlob, 0o600)
+	require.NoError(t, err)
+}
+
+// Verify manifest in a dir: image at dir is expectedMIMEType.
+func verifyManifestMIMEType(t *testing.T, dir string, expectedMIMEType string) {
+	manifestBlob, err := os.ReadFile(filepath.Join(dir, "manifest.json"))
+	require.NoError(t, err)
+	mimeType := manifest.GuessMIMEType(manifestBlob)
+	assert.Equal(t, expectedMIMEType, mimeType)
 }
--- a/rpm/skopeo.spec
+++ b/rpm/skopeo.spec
@@ -0,0 +1,174 @@
+%global with_debug 1
+
+%if 0%{?with_debug}
+%global _find_debuginfo_dwz_opts %{nil}
+%global _dwz_low_mem_die_limit 0
+%else
+%global debug_package %{nil}
+%endif
+
+# RHEL's default %%gobuild macro doesn't account for the BUILDTAGS variable, so we
+# set it separately here and do not depend on RHEL's go-[s]rpm-macros package
+# until that's fixed.
+# c9s bz: https://bugzilla.redhat.com/show_bug.cgi?id=2227328
+# c8s bz: https://bugzilla.redhat.com/show_bug.cgi?id=2227331
+%if %{defined rhel}
+%define gobuild(o:) go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl ${BUILDTAGS:-}" -ldflags "-linkmode=external -compressdwarf=false ${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
+%endif
+
+%global gomodulesmode GO111MODULE=on
+
+# No btrfs on RHEL
+%if %{defined fedora}
+%define build_with_btrfs 1
+%endif
+
+# Only used in official koji builds
+# Copr builds set a separate epoch for all environments
+%if %{defined fedora}
+%define conditional_epoch 1
+%else
+%define conditional_epoch 2
+%endif
+
+Name: skopeo
+%if %{defined copr_username}
+Epoch: 102
+%else
+Epoch: %{conditional_epoch}
+%endif
+# DO NOT TOUCH the Version string!
+# The TRUE source of this specfile is:
+# https://github.com/containers/skopeo/blob/main/rpm/skopeo.spec
+# If that's what you're reading, Version must be 0, and will be updated by Packit for
+# copr and koji builds.
+# If you're reading this on dist-git, the version is automatically filled in by Packit.
+Version: 0
+# The `AND` needs to be uppercase in the License for SPDX compatibility
+License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MPL-2.0
+Release: %autorelease
+%if %{defined golang_arches_future}
+ExclusiveArch: %{golang_arches_future}
+%else
+ExclusiveArch: aarch64 ppc64le s390x x86_64
+%endif
+Summary: Inspect container images and repositories on registries
+URL: https://github.com/containers/%{name}
+# Tarball fetched from upstream
+Source0: %{url}/archive/v%{version}.tar.gz
+BuildRequires: %{_bindir}/go-md2man
+%if %{defined build_with_btrfs}
+BuildRequires: btrfs-progs-devel
+%endif
+BuildRequires: git-core
+BuildRequires: golang
+%if !%{defined gobuild}
+BuildRequires: go-rpm-macros
+%endif
+BuildRequires: gpgme-devel
+BuildRequires: libassuan-devel
+BuildRequires: pkgconfig(devmapper)
+BuildRequires: ostree-devel
+BuildRequires: glib2-devel
+BuildRequires: make
+BuildRequires: shadow-utils-subid-devel
+Requires: containers-common >= 4:1-21
+
+%description
+Command line utility to inspect images and repositories directly on Docker
+registries without the need to pull them
+
+%package tests
+Summary: Tests for %{name}
+
+Requires: %{name} = %{epoch}:%{version}-%{release}
+Requires: bats
+Requires: gnupg
+Requires: jq
+Requires: golang
+Requires: podman
+Requires: crun
+Requires: httpd-tools
+Requires: openssl
+Requires: fakeroot
+Requires: squashfs-tools
+
+%description tests
+%{summary}
+
+This package contains system tests for %{name}
+
+%prep
+%autosetup -Sgit %{name}-%{version}
+# The %%install stage should not rebuild anything but only install what's
+# built in the %%build stage. So, remove any dependency on build targets.
+sed -i 's/^install-binary: bin\/%{name}.*/install-binary:/' Makefile
+sed -i 's/^completions: bin\/%{name}.*/completions:/' Makefile
+sed -i 's/^install-docs: docs.*/install-docs:/' Makefile
+
+%build
+%set_build_flags
+export CGO_CFLAGS=$CFLAGS
+
+# These extra flags present in $CFLAGS have been skipped for now as they break the build
+CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-flto=auto//g')
+CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-Wp,D_GLIBCXX_ASSERTIONS//g')
+CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-specs=\/usr\/lib\/rpm\/redhat\/redhat-annobin-cc1//g')
+
+%ifarch x86_64
+export CGO_CFLAGS="$CGO_CFLAGS -m64 -mtune=generic -fcf-protection=full"
+%endif
+
+BASEBUILDTAGS="$(hack/libdm_tag.sh) $(hack/libsubid_tag.sh)"
+%if %{defined build_with_btrfs}
+export BUILDTAGS="$BASEBUILDTAGS $(hack/btrfs_tag.sh) $(hack/btrfs_installed_tag.sh)"
+%else
+export BUILDTAGS="$BASEBUILDTAGS btrfs_noversion exclude_graphdriver_btrfs"
+%endif
+
+# unset LDFLAGS earlier set from set_build_flags
+LDFLAGS=''
+
+%gobuild -o bin/%{name} ./cmd/%{name}
+%{__make} docs
+
+%install
+make \
+    DESTDIR=%{buildroot} \
+    PREFIX=%{_prefix} \
+    install-binary install-docs install-completions
+
+# system tests
+install -d -p %{buildroot}/%{_datadir}/%{name}/test/system
+cp -pav systemtest/* %{buildroot}/%{_datadir}/%{name}/test/system/
+
+#define license tag if not already defined
+%{!?_licensedir:%global license %doc}
+
+%files
+%license LICENSE
+%doc README.md
+%{_bindir}/%{name}
+%{_mandir}/man1/%{name}*
+%dir %{_datadir}/bash-completion
+%dir %{_datadir}/bash-completion/completions
+%{_datadir}/bash-completion/completions/%{name}
+%dir %{_datadir}/fish/vendor_completions.d
+%{_datadir}/fish/vendor_completions.d/%{name}.fish
+%dir %{_datadir}/zsh/site-functions
+%{_datadir}/zsh/site-functions/_%{name}
+
+%files tests
+%license LICENSE
+%{_datadir}/%{name}/test
+
+%changelog
+%if %{defined autochangelog}
+%autochangelog
+%else
+# NOTE: This changelog will be visible on CentOS 8 Stream builds
+# Other envs are capable of handling autochangelog
+* Tue Jun 13 2023 RH Container Bot <rhcontainerbot@fedoraproject.org>
+- Placeholder changelog for envs that are not autochangelog-ready.
+- Contact upstream if you need to report an issue with the build.
+%endif
--- a/skopeo.spec.rpkg
+++ b/skopeo.spec.rpkg
@@ -1,132 +0,0 @@
-# For automatic rebuilds in COPR
-
-# The following tag is to get correct syntax highlighting for this file in vim text editor
-# vim: syntax=spec
-
-# Any additinoal comments should go below this line or else syntax highlighting
-# may not work.
-
-# CAUTION: This is not a replacement for RPMs provided by your distro.
-# Only intended to build and test the latest unreleased changes.
-
-%global gomodulesmode GO111MODULE=on
-%global with_debug 1
-
-%if 0%{?with_debug}
-%global _find_debuginfo_dwz_opts %{nil}
-%global _dwz_low_mem_die_limit 0
-%else
-%global debug_package %{nil}
-%endif
-
-%if ! 0%{?gobuild:1}
-%define gobuild(o:) go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" -a -v -x %{?**};
-%endif
-
-Name: {{{ git_dir_name }}}
-Epoch: 101
-Version: {{{ git_dir_version }}}
-Release: 1%{?dist}
-Summary: Inspect container images and repositories on registries
-License: ASL 2.0
-URL: https://github.com/containers/skopeo
-VCS: {{{ git_dir_vcs }}}
-Source: {{{ git_dir_pack }}}
-%if 0%{?fedora} && ! 0%{?rhel}
-BuildRequires: btrfs-progs-devel
-%endif
-BuildRequires: golang >= 1.16.6
-BuildRequires: glib2-devel
-BuildRequires: git-core
-BuildRequires: go-md2man
-%if 0%{?fedora} || 0%{?rhel} >= 9
-BuildRequires: go-rpm-macros
-%endif
-BuildRequires: pkgconfig(devmapper)
-BuildRequires: gpgme-devel
-BuildRequires: libassuan-devel
-BuildRequires: pkgconfig
-BuildRequires: make
-BuildRequires: ostree-devel
-%if 0%{?fedora} <= 35
-Requires: containers-common >= 4:1-39
-%else
-Requires: containers-common >= 4:1-46
-%endif
-
-%description
-Command line utility to inspect images and repositories directly on Docker
-registries without the need to pull them.
-
-%package tests
-Summary: Tests for %{name}
-Requires: %{name} = %{epoch}:%{version}-%{release}
-Requires: bats
-Requires: gnupg
-Requires: jq
-Requires: podman
-Requires: httpd-tools
-Requires: openssl
-Requires: fakeroot
-Requires: squashfs-tools
-
-%description tests
-%{summary}
-
-This package contains system tests for %{name}
-
-%prep
-{{{ git_dir_setup_macro }}}
-
-sed -i 's/install-binary: bin\/skopeo/install-binary:/' Makefile
-
-# This will invoke `make` command in the directory with the extracted sources.
-%build
-%set_build_flags
-export CGO_CFLAGS=$CFLAGS
-# These extra flags present in $CFLAGS have been skipped for now as they break the build
-CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-flto=auto//g')
-CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-Wp,D_GLIBCXX_ASSERTIONS//g')
-CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-specs=\/usr\/lib\/rpm\/redhat\/redhat-annobin-cc1//g')
-
-%ifarch x86_64
-export CGO_CFLAGS+=" -m64 -mtune=generic -fcf-protection=full"
-%endif
-
-LDFLAGS=""
-
-export BUILDTAGS="$(hack/libdm_tag.sh)"
-%if 0%{?rhel}
-export BUILDTAGS="$BUILDTAGS exclude_graphdriver_btrfs btrfs_noversion"
-%endif
-
-%gobuild -o bin/%{name} ./cmd/%{name}
-
-%install
-%{__make} PREFIX=%{buildroot}%{_prefix} install-binary install-docs install-completions
-
-# system tests
-install -d -p %{buildroot}/%{_datadir}/%{name}/test/system
-cp -pav systemtest/* %{buildroot}/%{_datadir}/%{name}/test/system/
-
-%files
-%license LICENSE
-%doc README.md
-%{_bindir}/%{name}
-%{_mandir}/man1/%%{name}*
-%dir %{_datadir}/bash-completion
-%dir %{_datadir}/bash-completion/completions
-%{_datadir}/bash-completion/completions/%{name}
-%dir %{_datadir}/fish
-%dir %{_datadir}/fish/vendor_completions.d
-%{_datadir}/fish/vendor_completions.d/%{name}.fish
-%dir %{_datadir}/zsh
-%dir %{_datadir}/zsh/site-functions
-%{_datadir}/zsh/site-functions/_%{name}
-
-%files tests
-%license LICENSE
-%{_datadir}/%{name}/test
-
-%changelog
-{{{ git_dir_changelog }}}
--- a/systemtest/040-local-registry-auth.bats
+++ b/systemtest/040-local-registry-auth.bats
@@ -16,7 +16,8 @@ function setup() {

    _cred_dir=$TESTDIR/credentials
    # It is important to change XDG_RUNTIME_DIR only after we start the registry, otherwise it affects the path of $XDG_RUNTIME_DIR/netns maintained by Podman,
-    # making it imposible to clean up after ourselves.
+    # making it impossible to clean up after ourselves.
+    export XDG_RUNTIME_DIR_OLD=$XDG_RUNTIME_DIR
    export XDG_RUNTIME_DIR=$_cred_dir
    mkdir -p $_cred_dir/containers
    # Remove old/stale cred file
@@ -111,6 +112,9 @@ function setup() {
 }

 teardown() {
+    # Need to restore XDG_RUNTIME_DIR.
+    XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR_OLD
+
    podman rm -f reg

    if [[ -n $_cred_dir ]]; then
--- a/systemtest/050-signing.bats
+++ b/systemtest/050-signing.bats
@@ -242,7 +242,7 @@ END_TESTS
               $fingerprint \
               $TESTDIR/busybox.signature
    # manifest digest
-    digest=$(echo "$output" | awk '{print $4;}')
+    digest=$(echo "$output" | awk '{print $NF;}')
    run_skopeo manifest-digest $TESTDIR/busybox/manifest.json
    expect_output $digest
 }
--- a/vendor/github.com/imdario/mergo/.deepsource.toml
+++ b/vendor/github.com/imdario/mergo/.deepsource.toml
@@ -9,4 +9,4 @@ name = "go"
 enabled = true

  [analyzers.meta]
-  import_path = "github.com/imdario/mergo"
+  import_path = "dario.cat/mergo"
--- a/vendor/github.com/imdario/mergo/.gitignore
+++ b/vendor/github.com/imdario/mergo/.gitignore
--- a/vendor/github.com/imdario/mergo/.travis.yml
+++ b/vendor/github.com/imdario/mergo/.travis.yml
--- a/vendor/github.com/imdario/mergo/CODE_OF_CONDUCT.md
+++ b/vendor/github.com/imdario/mergo/CODE_OF_CONDUCT.md
--- a/vendor/dario.cat/mergo/CONTRIBUTING.md
+++ b/vendor/dario.cat/mergo/CONTRIBUTING.md
@@ -0,0 +1,112 @@
+<!-- omit in toc -->
+# Contributing to mergo
+
+First off, thanks for taking the time to contribute! ❤️
+
+All types of contributions are encouraged and valued. See the [Table of Contents](#table-of-contents) for different ways to help and details about how this project handles them. Please make sure to read the relevant section before making your contribution. It will make it a lot easier for us maintainers and smooth out the experience for all involved. The community looks forward to your contributions. 🎉
+
+> And if you like the project, but just don't have time to contribute, that's fine. There are other easy ways to support the project and show your appreciation, which we would also be very happy about:
+> - Star the project
+> - Tweet about it
+> - Refer this project in your project's readme
+> - Mention the project at local meetups and tell your friends/colleagues
+
+<!-- omit in toc -->
+## Table of Contents
+
+- [Code of Conduct](#code-of-conduct)
+- [I Have a Question](#i-have-a-question)
+- [I Want To Contribute](#i-want-to-contribute)
+- [Reporting Bugs](#reporting-bugs)
+- [Suggesting Enhancements](#suggesting-enhancements)
+
+## Code of Conduct
+
+This project and everyone participating in it is governed by the
+[mergo Code of Conduct](https://github.com/imdario/mergoblob/master/CODE_OF_CONDUCT.md).
+By participating, you are expected to uphold this code. Please report unacceptable behavior
+to <>.
+
+
+## I Have a Question
+
+> If you want to ask a question, we assume that you have read the available [Documentation](https://pkg.go.dev/github.com/imdario/mergo).
+
+Before you ask a question, it is best to search for existing [Issues](https://github.com/imdario/mergo/issues) that might help you. In case you have found a suitable issue and still need clarification, you can write your question in this issue. It is also advisable to search the internet for answers first.
+
+If you then still feel the need to ask a question and need clarification, we recommend the following:
+
+- Open an [Issue](https://github.com/imdario/mergo/issues/new).
+- Provide as much context as you can about what you're running into.
+- Provide project and platform versions (nodejs, npm, etc), depending on what seems relevant.
+
+We will then take care of the issue as soon as possible.
+
+## I Want To Contribute
+
+> ### Legal Notice <!-- omit in toc -->
+> When contributing to this project, you must agree that you have authored 100% of the content, that you have the necessary rights to the content and that the content you contribute may be provided under the project license.
+
+### Reporting Bugs
+
+<!-- omit in toc -->
+#### Before Submitting a Bug Report
+
+A good bug report shouldn't leave others needing to chase you up for more information. Therefore, we ask you to investigate carefully, collect information and describe the issue in detail in your report. Please complete the following steps in advance to help us fix any potential bug as fast as possible.
+
+- Make sure that you are using the latest version.
+- Determine if your bug is really a bug and not an error on your side e.g. using incompatible environment components/versions (Make sure that you have read the [documentation](). If you are looking for support, you might want to check [this section](#i-have-a-question)).
+- To see if other users have experienced (and potentially already solved) the same issue you are having, check if there is not already a bug report existing for your bug or error in the [bug tracker](https://github.com/imdario/mergoissues?q=label%3Abug).
+- Also make sure to search the internet (including Stack Overflow) to see if users outside of the GitHub community have discussed the issue.
+- Collect information about the bug:
+- Stack trace (Traceback)
+- OS, Platform and Version (Windows, Linux, macOS, x86, ARM)
+- Version of the interpreter, compiler, SDK, runtime environment, package manager, depending on what seems relevant.
+- Possibly your input and the output
+- Can you reliably reproduce the issue? And can you also reproduce it with older versions?
+
+<!-- omit in toc -->
+#### How Do I Submit a Good Bug Report?
+
+> You must never report security related issues, vulnerabilities or bugs including sensitive information to the issue tracker, or elsewhere in public. Instead sensitive bugs must be sent by email to .
+<!-- You may add a PGP key to allow the messages to be sent encrypted as well. -->
+
+We use GitHub issues to track bugs and errors. If you run into an issue with the project:
+
+- Open an [Issue](https://github.com/imdario/mergo/issues/new). (Since we can't be sure at this point whether it is a bug or not, we ask you not to talk about a bug yet and not to label the issue.)
+- Explain the behavior you would expect and the actual behavior.
+- Please provide as much context as possible and describe the *reproduction steps* that someone else can follow to recreate the issue on their own. This usually includes your code. For good bug reports you should isolate the problem and create a reduced test case.
+- Provide the information you collected in the previous section.
+
+Once it's filed:
+
+- The project team will label the issue accordingly.
+- A team member will try to reproduce the issue with your provided steps. If there are no reproduction steps or no obvious way to reproduce the issue, the team will ask you for those steps and mark the issue as `needs-repro`. Bugs with the `needs-repro` tag will not be addressed until they are reproduced.
+- If the team is able to reproduce the issue, it will be marked `needs-fix`, as well as possibly other tags (such as `critical`), and the issue will be left to be implemented by someone.
+
+### Suggesting Enhancements
+
+This section guides you through submitting an enhancement suggestion for mergo, **including completely new features and minor improvements to existing functionality**. Following these guidelines will help maintainers and the community to understand your suggestion and find related suggestions.
+
+<!-- omit in toc -->
+#### Before Submitting an Enhancement
+
+- Make sure that you are using the latest version.
+- Read the [documentation]() carefully and find out if the functionality is already covered, maybe by an individual configuration.
+- Perform a [search](https://github.com/imdario/mergo/issues) to see if the enhancement has already been suggested. If it has, add a comment to the existing issue instead of opening a new one.
+- Find out whether your idea fits with the scope and aims of the project. It's up to you to make a strong case to convince the project's developers of the merits of this feature. Keep in mind that we want features that will be useful to the majority of our users and not just a small subset. If you're just targeting a minority of users, consider writing an add-on/plugin library.
+
+<!-- omit in toc -->
+#### How Do I Submit a Good Enhancement Suggestion?
+
+Enhancement suggestions are tracked as [GitHub issues](https://github.com/imdario/mergo/issues).
+
+- Use a **clear and descriptive title** for the issue to identify the suggestion.
+- Provide a **step-by-step description of the suggested enhancement** in as many details as possible.
+- **Describe the current behavior** and **explain which behavior you expected to see instead** and why. At this point you can also tell which alternatives do not work for you.
+- You may want to **include screenshots and animated GIFs** which help you demonstrate the steps or point out the part which the suggestion is related to. You can use [this tool](https://www.cockos.com/licecap/) to record GIFs on macOS and Windows, and [this tool](https://github.com/colinkeenan/silentcast) or [this tool](https://github.com/GNOME/byzanz) on Linux. <!-- this should only be included if the project has a GUI -->
+- **Explain why this enhancement would be useful** to most mergo users. You may also want to point out the other projects that solved it better and which could serve as inspiration.
+
+<!-- omit in toc -->
+## Attribution
+This guide is based on the **contributing-gen**. [Make your own](https://github.com/bttger/contributing-gen)!
--- a/vendor/github.com/imdario/mergo/LICENSE
+++ b/vendor/github.com/imdario/mergo/LICENSE
--- a/vendor/github.com/imdario/mergo/README.md
+++ b/vendor/github.com/imdario/mergo/README.md
@@ -1,17 +1,20 @@
 # Mergo

-
-[![GoDoc][3]][4]
 [![GitHub release][5]][6]
 [![GoCard][7]][8]
-[![Build Status][1]][2]
-[![Coverage Status][9]][10]
+[![Test status][1]][2]
+[![OpenSSF Scorecard][21]][22]
+[![OpenSSF Best Practices][19]][20]
+[![Coverage status][9]][10]
 [![Sourcegraph][11]][12]
-[![FOSSA Status][13]][14]
-[![Become my sponsor][15]][16]
+[![FOSSA status][13]][14]

-[1]: https://travis-ci.org/imdario/mergo.png
-[2]: https://travis-ci.org/imdario/mergo
+[![GoDoc][3]][4]
+[![Become my sponsor][15]][16]
+[![Tidelift][17]][18]
+
+[1]: https://github.com/imdario/mergo/workflows/tests/badge.svg?branch=master
+[2]: https://github.com/imdario/mergo/actions/workflows/tests.yml
 [3]: https://godoc.org/github.com/imdario/mergo?status.svg
 [4]: https://godoc.org/github.com/imdario/mergo
 [5]: https://img.shields.io/github/release/imdario/mergo.svg
@@ -26,6 +29,12 @@
 [14]: https://app.fossa.io/projects/git%2Bgithub.com%2Fimdario%2Fmergo?ref=badge_shield
 [15]: https://img.shields.io/github/sponsors/imdario
 [16]: https://github.com/sponsors/imdario
+[17]: https://tidelift.com/badges/package/go/github.com%2Fimdario%2Fmergo
+[18]: https://tidelift.com/subscription/pkg/go-github.com-imdario-mergo
+[19]: https://bestpractices.coreinfrastructure.org/projects/7177/badge
+[20]: https://bestpractices.coreinfrastructure.org/projects/7177
+[21]: https://api.securityscorecards.dev/projects/github.com/imdario/mergo/badge
+[22]: https://api.securityscorecards.dev/projects/github.com/imdario/mergo

 A helper to merge structs and maps in Golang. Useful for configuration default values, avoiding messy if-statements.

@@ -37,13 +46,19 @@ Also a lovely [comune](http://en.wikipedia.org/wiki/Mergo) (municipality) in the

 It is ready for production use. [It is used in several projects by Docker, Google, The Linux Foundation, VMWare, Shopify, Microsoft, etc](https://github.com/imdario/mergo#mergo-in-the-wild).

-### Important note
+### Important notes
+
+#### 1.0.0
+
+In [1.0.0](//github.com/imdario/mergo/releases/tag/1.0.0) Mergo moves to a vanity URL `dario.cat/mergo`.
+
+#### 0.3.9

 Please keep in mind that a problematic PR broke [0.3.9](//github.com/imdario/mergo/releases/tag/0.3.9). I reverted it in [0.3.10](//github.com/imdario/mergo/releases/tag/0.3.10), and I consider it stable but not bug-free. Also, this version adds support for go modules.

 Keep in mind that in [0.3.2](//github.com/imdario/mergo/releases/tag/0.3.2), Mergo changed `Merge()`and `Map()` signatures to support [transformers](#transformers). I added an optional/variadic argument so that it won't break the existing code.

-If you were using Mergo before April 6th, 2015, please check your project works as intended after updating your local copy with ```go get -u github.com/imdario/mergo```. I apologize for any issue caused by its previous behavior and any future bug that Mergo could cause in existing projects after the change (release 0.2.0).
+If you were using Mergo before April 6th, 2015, please check your project works as intended after updating your local copy with ```go get -u dario.cat/mergo```. I apologize for any issue caused by its previous behavior and any future bug that Mergo could cause in existing projects after the change (release 0.2.0).

 ### Donations

@@ -55,7 +70,6 @@ If Mergo is useful to you, consider buying me a coffee, a beer, or making a mont

 ### Mergo in the wild

- [cli/cli](https://github.com/cli/cli)
 - [moby/moby](https://github.com/moby/moby)
 - [kubernetes/kubernetes](https://github.com/kubernetes/kubernetes)
 - [vmware/dispatch](https://github.com/vmware/dispatch)
@@ -102,11 +116,11 @@ If Mergo is useful to you, consider buying me a coffee, a beer, or making a mont

 ## Install

-    go get github.com/imdario/mergo
+    go get dario.cat/mergo

    // use in your .go code
    import (
-        "github.com/imdario/mergo"
+        "dario.cat/mergo"
    )

 ## Usage
@@ -144,7 +158,7 @@ package main

 import (
 	"fmt"
-	"github.com/imdario/mergo"
+	"dario.cat/mergo"
 )

 type Foo struct {
@@ -180,9 +194,9 @@ package main

 import (
 	"fmt"
-	"github.com/imdario/mergo"
-        "reflect"
-        "time"
+	"dario.cat/mergo"
+    "reflect"
+    "time"
 )

 type timeTransformer struct {
@@ -231,5 +245,4 @@ Written by [Dario Castañé](http://dario.im).

 [BSD 3-Clause](http://opensource.org/licenses/BSD-3-Clause) license, as [Go language](http://golang.org/LICENSE).

-
 [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fimdario%2Fmergo.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fimdario%2Fmergo?ref=badge_large)
--- a/vendor/dario.cat/mergo/SECURITY.md
+++ b/vendor/dario.cat/mergo/SECURITY.md
@@ -0,0 +1,14 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.3.x   | :white_check_mark: |
+| < 0.3   | :x:                |
+
+## Security contact information
+
+To report a security vulnerability, please use the
+[Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.
--- a/vendor/github.com/imdario/mergo/doc.go
+++ b/vendor/github.com/imdario/mergo/doc.go
@@ -8,30 +8,36 @@ A helper to merge structs and maps in Golang. Useful for configuration default v

 Mergo merges same-type structs and maps by setting default values in zero-value fields. Mergo won't merge unexported (private) fields. It will do recursively any exported one. It also won't merge structs inside maps (because they are not addressable using Go reflection).

-Status
+# Status

 It is ready for production use. It is used in several projects by Docker, Google, The Linux Foundation, VMWare, Shopify, etc.

-Important note
+# Important notes
+
+1.0.0
+
+In 1.0.0 Mergo moves to a vanity URL `dario.cat/mergo`.
+
+0.3.9

 Please keep in mind that a problematic PR broke 0.3.9. We reverted it in 0.3.10. We consider 0.3.10 as stable but not bug-free. . Also, this version adds suppot for go modules.

 Keep in mind that in 0.3.2, Mergo changed Merge() and Map() signatures to support transformers. We added an optional/variadic argument so that it won't break the existing code.

-If you were using Mergo before April 6th, 2015, please check your project works as intended after updating your local copy with go get -u github.com/imdario/mergo. I apologize for any issue caused by its previous behavior and any future bug that Mergo could cause in existing projects after the change (release 0.2.0).
+If you were using Mergo before April 6th, 2015, please check your project works as intended after updating your local copy with go get -u dario.cat/mergo. I apologize for any issue caused by its previous behavior and any future bug that Mergo could cause in existing projects after the change (release 0.2.0).

-Install
+# Install

 Do your usual installation procedure:

-    go get github.com/imdario/mergo
+	go get dario.cat/mergo

-    // use in your .go code
-    import (
-        "github.com/imdario/mergo"
-    )
+	// use in your .go code
+	import (
+	    "dario.cat/mergo"
+	)

-Usage
+# Usage

 You can only merge same-type structs with exported fields initialized as zero value of their type and same-types maps. Mergo won't merge unexported (private) fields but will do recursively any exported one. It won't merge empty structs value as they are zero values too. Also, maps will be merged recursively except for structs inside maps (because they are not addressable using Go reflection).

@@ -59,7 +65,7 @@ Here is a nice example:

 	import (
 		"fmt"
-		"github.com/imdario/mergo"
+		"dario.cat/mergo"
 	)

 	type Foo struct {
@@ -81,7 +87,7 @@ Here is a nice example:
 		// {two 2}
 	}

-Transformers
+# Transformers

 Transformers allow to merge specific types differently than in the default behavior. In other words, now you can customize how some types are merged. For example, time.Time is a struct; it doesn't have zero value but IsZero can return true because it has fields with zero value. How can we merge a non-zero time.Time?

@@ -89,9 +95,9 @@ Transformers allow to merge specific types differently than in the default behav

 	import (
 		"fmt"
-		"github.com/imdario/mergo"
-			"reflect"
-			"time"
+		"dario.cat/mergo"
+		"reflect"
+		"time"
 	)

 	type timeTransformer struct {
@@ -127,17 +133,16 @@ Transformers allow to merge specific types differently than in the default behav
 		// { 2018-01-12 01:15:00 +0000 UTC m=+0.000000001 }
 	}

-Contact me
+# Contact me

 If I can help you, you have an idea or you are using Mergo in your projects, don't hesitate to drop me a line (or a pull request): https://twitter.com/im_dario

-About
+# About

 Written by Dario Castañé: https://da.rio.hn

-License
+# License

 BSD 3-Clause license, as Go language.
-
 */
 package mergo
--- a/vendor/github.com/imdario/mergo/map.go
+++ b/vendor/github.com/imdario/mergo/map.go
@@ -44,7 +44,7 @@ func deepMap(dst, src reflect.Value, visited map[uintptr]*visit, depth int, conf
 			}
 		}
 		// Remember, remember...
-		visited[h] = &visit{addr, typ, seen}
+		visited[h] = &visit{typ, seen, addr}
 	}
 	zeroValue := reflect.Value{}
 	switch dst.Kind() {
@@ -58,7 +58,7 @@ func deepMap(dst, src reflect.Value, visited map[uintptr]*visit, depth int, conf
 			}
 			fieldName := field.Name
 			fieldName = changeInitialCase(fieldName, unicode.ToLower)
-			if v, ok := dstMap[fieldName]; !ok || (isEmptyValue(reflect.ValueOf(v)) || overwrite) {
+			if v, ok := dstMap[fieldName]; !ok || (isEmptyValue(reflect.ValueOf(v), !config.ShouldNotDereference) || overwrite) {
 				dstMap[fieldName] = src.Field(i).Interface()
 			}
 		}
@@ -142,7 +142,7 @@ func MapWithOverwrite(dst, src interface{}, opts ...func(*Config)) error {

 func _map(dst, src interface{}, opts ...func(*Config)) error {
 	if dst != nil && reflect.ValueOf(dst).Kind() != reflect.Ptr {
-		return ErrNonPointerAgument
+		return ErrNonPointerArgument
 	}
 	var (
 		vDst, vSrc reflect.Value
--- a/vendor/github.com/imdario/mergo/merge.go
+++ b/vendor/github.com/imdario/mergo/merge.go
@@ -38,10 +38,11 @@ func isExportedComponent(field *reflect.StructField) bool {
 }

 type Config struct {
+	Transformers                 Transformers
 	Overwrite                    bool
+	ShouldNotDereference         bool
 	AppendSlice                  bool
 	TypeCheck                    bool
-	Transformers                 Transformers
 	overwriteWithEmptyValue      bool
 	overwriteSliceWithEmptyValue bool
 	sliceDeepCopy                bool
@@ -76,7 +77,7 @@ func deepMerge(dst, src reflect.Value, visited map[uintptr]*visit, depth int, co
 			}
 		}
 		// Remember, remember...
-		visited[h] = &visit{addr, typ, seen}
+		visited[h] = &visit{typ, seen, addr}
 	}

 	if config.Transformers != nil && !isReflectNil(dst) && dst.IsValid() {
@@ -95,7 +96,7 @@ func deepMerge(dst, src reflect.Value, visited map[uintptr]*visit, depth int, co
 				}
 			}
 		} else {
-			if dst.CanSet() && (isReflectNil(dst) || overwrite) && (!isEmptyValue(src) || overwriteWithEmptySrc) {
+			if dst.CanSet() && (isReflectNil(dst) || overwrite) && (!isEmptyValue(src, !config.ShouldNotDereference) || overwriteWithEmptySrc) {
 				dst.Set(src)
 			}
 		}
@@ -110,7 +111,7 @@ func deepMerge(dst, src reflect.Value, visited map[uintptr]*visit, depth int, co
 		}

 		if src.Kind() != reflect.Map {
-			if overwrite {
+			if overwrite && dst.CanSet() {
 				dst.Set(src)
 			}
 			return
@@ -162,7 +163,7 @@ func deepMerge(dst, src reflect.Value, visited map[uintptr]*visit, depth int, co
 						dstSlice = reflect.ValueOf(dstElement.Interface())
 					}

-					if (!isEmptyValue(src) || overwriteWithEmptySrc || overwriteSliceWithEmptySrc) && (overwrite || isEmptyValue(dst)) && !config.AppendSlice && !sliceDeepCopy {
+					if (!isEmptyValue(src, !config.ShouldNotDereference) || overwriteWithEmptySrc || overwriteSliceWithEmptySrc) && (overwrite || isEmptyValue(dst, !config.ShouldNotDereference)) && !config.AppendSlice && !sliceDeepCopy {
 						if typeCheck && srcSlice.Type() != dstSlice.Type() {
 							return fmt.Errorf("cannot override two slices with different type (%s, %s)", srcSlice.Type(), dstSlice.Type())
 						}
@@ -194,22 +195,38 @@ func deepMerge(dst, src reflect.Value, visited map[uintptr]*visit, depth int, co
 					dst.SetMapIndex(key, dstSlice)
 				}
 			}
-			if dstElement.IsValid() && !isEmptyValue(dstElement) && (reflect.TypeOf(srcElement.Interface()).Kind() == reflect.Map || reflect.TypeOf(srcElement.Interface()).Kind() == reflect.Slice) {
-				continue
+
+			if dstElement.IsValid() && !isEmptyValue(dstElement, !config.ShouldNotDereference) {
+				if reflect.TypeOf(srcElement.Interface()).Kind() == reflect.Slice {
+					continue
+				}
+				if reflect.TypeOf(srcElement.Interface()).Kind() == reflect.Map && reflect.TypeOf(dstElement.Interface()).Kind() == reflect.Map {
+					continue
+				}
 			}

-			if srcElement.IsValid() && ((srcElement.Kind() != reflect.Ptr && overwrite) || !dstElement.IsValid() || isEmptyValue(dstElement)) {
+			if srcElement.IsValid() && ((srcElement.Kind() != reflect.Ptr && overwrite) || !dstElement.IsValid() || isEmptyValue(dstElement, !config.ShouldNotDereference)) {
 				if dst.IsNil() {
 					dst.Set(reflect.MakeMap(dst.Type()))
 				}
 				dst.SetMapIndex(key, srcElement)
 			}
 		}
+
+		// Ensure that all keys in dst are deleted if they are not in src.
+		if overwriteWithEmptySrc {
+			for _, key := range dst.MapKeys() {
+				srcElement := src.MapIndex(key)
+				if !srcElement.IsValid() {
+					dst.SetMapIndex(key, reflect.Value{})
+				}
+			}
+		}
 	case reflect.Slice:
 		if !dst.CanSet() {
 			break
 		}
-		if (!isEmptyValue(src) || overwriteWithEmptySrc || overwriteSliceWithEmptySrc) && (overwrite || isEmptyValue(dst)) && !config.AppendSlice && !sliceDeepCopy {
+		if (!isEmptyValue(src, !config.ShouldNotDereference) || overwriteWithEmptySrc || overwriteSliceWithEmptySrc) && (overwrite || isEmptyValue(dst, !config.ShouldNotDereference)) && !config.AppendSlice && !sliceDeepCopy {
 			dst.Set(src)
 		} else if config.AppendSlice {
 			if src.Type() != dst.Type() {
@@ -244,12 +261,18 @@ func deepMerge(dst, src reflect.Value, visited map[uintptr]*visit, depth int, co

 		if src.Kind() != reflect.Interface {
 			if dst.IsNil() || (src.Kind() != reflect.Ptr && overwrite) {
-				if dst.CanSet() && (overwrite || isEmptyValue(dst)) {
+				if dst.CanSet() && (overwrite || isEmptyValue(dst, !config.ShouldNotDereference)) {
 					dst.Set(src)
 				}
 			} else if src.Kind() == reflect.Ptr {
-				if err = deepMerge(dst.Elem(), src.Elem(), visited, depth+1, config); err != nil {
-					return
+				if !config.ShouldNotDereference {
+					if err = deepMerge(dst.Elem(), src.Elem(), visited, depth+1, config); err != nil {
+						return
+					}
+				} else {
+					if overwriteWithEmptySrc || (overwrite && !src.IsNil()) || dst.IsNil() {
+						dst.Set(src)
+					}
 				}
 			} else if dst.Elem().Type() == src.Type() {
 				if err = deepMerge(dst.Elem(), src, visited, depth+1, config); err != nil {
@@ -262,7 +285,7 @@ func deepMerge(dst, src reflect.Value, visited map[uintptr]*visit, depth int, co
 		}

 		if dst.IsNil() || overwrite {
-			if dst.CanSet() && (overwrite || isEmptyValue(dst)) {
+			if dst.CanSet() && (overwrite || isEmptyValue(dst, !config.ShouldNotDereference)) {
 				dst.Set(src)
 			}
 			break
@@ -275,7 +298,7 @@ func deepMerge(dst, src reflect.Value, visited map[uintptr]*visit, depth int, co
 			break
 		}
 	default:
-		mustSet := (isEmptyValue(dst) || overwrite) && (!isEmptyValue(src) || overwriteWithEmptySrc)
+		mustSet := (isEmptyValue(dst, !config.ShouldNotDereference) || overwrite) && (!isEmptyValue(src, !config.ShouldNotDereference) || overwriteWithEmptySrc)
 		if mustSet {
 			if dst.CanSet() {
 				dst.Set(src)
@@ -326,6 +349,12 @@ func WithOverrideEmptySlice(config *Config) {
 	config.overwriteSliceWithEmptyValue = true
 }

+// WithoutDereference prevents dereferencing pointers when evaluating whether they are empty
+// (i.e. a non-nil pointer is never considered empty).
+func WithoutDereference(config *Config) {
+	config.ShouldNotDereference = true
+}
+
 // WithAppendSlice will make merge append slices instead of overwriting it.
 func WithAppendSlice(config *Config) {
 	config.AppendSlice = true
@@ -344,7 +373,7 @@ func WithSliceDeepCopy(config *Config) {

 func merge(dst, src interface{}, opts ...func(*Config)) error {
 	if dst != nil && reflect.ValueOf(dst).Kind() != reflect.Ptr {
-		return ErrNonPointerAgument
+		return ErrNonPointerArgument
 	}
 	var (
 		vDst, vSrc reflect.Value
--- a/vendor/github.com/imdario/mergo/mergo.go
+++ b/vendor/github.com/imdario/mergo/mergo.go
@@ -20,7 +20,7 @@ var (
 	ErrNotSupported                = errors.New("only structs, maps, and slices are supported")
 	ErrExpectedMapAsDestination    = errors.New("dst was expected to be a map")
 	ErrExpectedStructAsDestination = errors.New("dst was expected to be a struct")
-	ErrNonPointerAgument           = errors.New("dst must be a pointer")
+	ErrNonPointerArgument          = errors.New("dst must be a pointer")
 )

 // During deepMerge, must keep track of checks that are
@@ -28,13 +28,13 @@ var (
 // checks in progress are true when it reencounters them.
 // Visited are stored in a map indexed by 17 * a1 + a2;
 type visit struct {
-	ptr  uintptr
 	typ  reflect.Type
 	next *visit
+	ptr  uintptr
 }

 // From src/pkg/encoding/json/encode.go.
-func isEmptyValue(v reflect.Value) bool {
+func isEmptyValue(v reflect.Value, shouldDereference bool) bool {
 	switch v.Kind() {
 	case reflect.Array, reflect.Map, reflect.Slice, reflect.String:
 		return v.Len() == 0
@@ -50,7 +50,10 @@ func isEmptyValue(v reflect.Value) bool {
 		if v.IsNil() {
 			return true
 		}
-		return isEmptyValue(v.Elem())
+		if shouldDereference {
+			return isEmptyValue(v.Elem(), shouldDereference)
+		}
+		return false
 	case reflect.Func:
 		return v.IsNil()
 	case reflect.Invalid:
--- a/vendor/github.com/BurntSushi/toml/decode.go
+++ b/vendor/github.com/BurntSushi/toml/decode.go
@@ -91,7 +91,7 @@ const (
 // UnmarshalText method. See the Unmarshaler example for a demonstration with
 // email addresses.
 //
-// ### Key mapping
+// # Key mapping
 //
 // TOML keys can map to either keys in a Go map or field names in a Go struct.
 // The special `toml` struct tag can be used to map TOML keys to struct fields
@@ -248,7 +248,7 @@ func (md *MetaData) unify(data interface{}, rv reflect.Value) error {
 	case reflect.Bool:
 		return md.unifyBool(data, rv)
 	case reflect.Interface:
-		if rv.NumMethod() > 0 { // Only support empty interfaces are supported.
+		if rv.NumMethod() > 0 { /// Only empty interfaces are supported.
 			return md.e("unsupported type %s", rv.Type())
 		}
 		return md.unifyAnything(data, rv)
--- a/vendor/github.com/BurntSushi/toml/deprecated.go
+++ b/vendor/github.com/BurntSushi/toml/deprecated.go
@@ -5,17 +5,25 @@ import (
 	"io"
 )

+// TextMarshaler is an alias for encoding.TextMarshaler.
+//
 // Deprecated: use encoding.TextMarshaler
 type TextMarshaler encoding.TextMarshaler

+// TextUnmarshaler is an alias for encoding.TextUnmarshaler.
+//
 // Deprecated: use encoding.TextUnmarshaler
 type TextUnmarshaler encoding.TextUnmarshaler

+// PrimitiveDecode is an alias for MetaData.PrimitiveDecode().
+//
 // Deprecated: use MetaData.PrimitiveDecode.
 func PrimitiveDecode(primValue Primitive, v interface{}) error {
 	md := MetaData{decoded: make(map[string]struct{})}
 	return md.unify(primValue.undecoded, rvalue(v))
 }

+// DecodeReader is an alias for NewDecoder(r).Decode(v).
+//
 // Deprecated: use NewDecoder(reader).Decode(&value).
 func DecodeReader(r io.Reader, v interface{}) (MetaData, error) { return NewDecoder(r).Decode(v) }
--- a/vendor/github.com/BurntSushi/toml/encode.go
+++ b/vendor/github.com/BurntSushi/toml/encode.go
@@ -136,7 +136,8 @@ func NewEncoder(w io.Writer) *Encoder {
 // document.
 func (enc *Encoder) Encode(v interface{}) error {
 	rv := eindirect(reflect.ValueOf(v))
-	if err := enc.safeEncode(Key([]string{}), rv); err != nil {
+	err := enc.safeEncode(Key([]string{}), rv)
+	if err != nil {
 		return err
 	}
 	return enc.w.Flush()
@@ -457,6 +458,16 @@ func (enc *Encoder) eStruct(key Key, rv reflect.Value, inline bool) {

 			frv := eindirect(rv.Field(i))

+			if is32Bit {
+				// Copy so it works correct on 32bit archs; not clear why this
+				// is needed. See #314, and https://www.reddit.com/r/golang/comments/pnx8v4
+				// This also works fine on 64bit, but 32bit archs are somewhat
+				// rare and this is a wee bit faster.
+				copyStart := make([]int, len(start))
+				copy(copyStart, start)
+				start = copyStart
+			}
+
 			// Treat anonymous struct fields with tag names as though they are
 			// not anonymous, like encoding/json does.
 			//
@@ -471,17 +482,7 @@ func (enc *Encoder) eStruct(key Key, rv reflect.Value, inline bool) {
 			if typeIsTable(tomlTypeOfGo(frv)) {
 				fieldsSub = append(fieldsSub, append(start, f.Index...))
 			} else {
-				// Copy so it works correct on 32bit archs; not clear why this
-				// is needed. See #314, and https://www.reddit.com/r/golang/comments/pnx8v4
-				// This also works fine on 64bit, but 32bit archs are somewhat
-				// rare and this is a wee bit faster.
-				if is32Bit {
-					copyStart := make([]int, len(start))
-					copy(copyStart, start)
-					fieldsDirect = append(fieldsDirect, append(copyStart, f.Index...))
-				} else {
-					fieldsDirect = append(fieldsDirect, append(start, f.Index...))
-				}
+				fieldsDirect = append(fieldsDirect, append(start, f.Index...))
 			}
 		}
 	}
@@ -490,24 +491,27 @@ func (enc *Encoder) eStruct(key Key, rv reflect.Value, inline bool) {
 	writeFields := func(fields [][]int) {
 		for _, fieldIndex := range fields {
 			fieldType := rt.FieldByIndex(fieldIndex)
-			fieldVal := eindirect(rv.FieldByIndex(fieldIndex))
-
-			if isNil(fieldVal) { /// Don't write anything for nil fields.
-				continue
-			}
+			fieldVal := rv.FieldByIndex(fieldIndex)

 			opts := getOptions(fieldType.Tag)
 			if opts.skip {
 				continue
 			}
+			if opts.omitempty && isEmpty(fieldVal) {
+				continue
+			}
+
+			fieldVal = eindirect(fieldVal)
+
+			if isNil(fieldVal) { /// Don't write anything for nil fields.
+				continue
+			}
+
 			keyName := fieldType.Name
 			if opts.name != "" {
 				keyName = opts.name
 			}

-			if opts.omitempty && enc.isEmpty(fieldVal) {
-				continue
-			}
 			if opts.omitzero && isZero(fieldVal) {
 				continue
 			}
@@ -649,7 +653,7 @@ func isZero(rv reflect.Value) bool {
 	return false
 }

-func (enc *Encoder) isEmpty(rv reflect.Value) bool {
+func isEmpty(rv reflect.Value) bool {
 	switch rv.Kind() {
 	case reflect.Array, reflect.Slice, reflect.Map, reflect.String:
 		return rv.Len() == 0
@@ -664,13 +668,15 @@ func (enc *Encoder) isEmpty(rv reflect.Value) bool {
 		//   type b struct{ s []string }
 		//   s := a{field: b{s: []string{"AAA"}}}
 		for i := 0; i < rv.NumField(); i++ {
-			if !enc.isEmpty(rv.Field(i)) {
+			if !isEmpty(rv.Field(i)) {
 				return false
 			}
 		}
 		return true
 	case reflect.Bool:
 		return !rv.Bool()
+	case reflect.Ptr:
+		return rv.IsNil()
 	}
 	return false
 }
@@ -693,8 +699,11 @@ func (enc *Encoder) newline() {
 //	v      v   v  v    vv
 //	key = {k = 1, k2 = 2}
 func (enc *Encoder) writeKeyValue(key Key, val reflect.Value, inline bool) {
+	/// Marshaler used on top-level document; call eElement() to just call
+	/// Marshal{TOML,Text}.
 	if len(key) == 0 {
-		encPanic(errNoKey)
+		enc.eElement(val)
+		return
 	}
 	enc.wf("%s%s = ", enc.indentStr(key), key.maybeQuoted(len(key)-1))
 	enc.eElement(val)
--- a/vendor/github.com/BurntSushi/toml/error.go
+++ b/vendor/github.com/BurntSushi/toml/error.go
@@ -84,7 +84,7 @@ func (pe ParseError) Error() string {
 		pe.Position.Line, pe.LastKey, msg)
 }

-// ErrorWithUsage() returns the error with detailed location context.
+// ErrorWithPosition returns the error with detailed location context.
 //
 // See the documentation on [ParseError].
 func (pe ParseError) ErrorWithPosition() string {
@@ -124,7 +124,7 @@ func (pe ParseError) ErrorWithPosition() string {
 	return b.String()
 }

-// ErrorWithUsage() returns the error with detailed location context and usage
+// ErrorWithUsage returns the error with detailed location context and usage
 // guidance.
 //
 // See the documentation on [ParseError].
--- a/vendor/github.com/BurntSushi/toml/lex.go
+++ b/vendor/github.com/BurntSushi/toml/lex.go
@@ -46,12 +46,13 @@ func (p Position) String() string {
 }

 type lexer struct {
-	input string
-	start int
-	pos   int
-	line  int
-	state stateFn
-	items chan item
+	input    string
+	start    int
+	pos      int
+	line     int
+	state    stateFn
+	items    chan item
+	tomlNext bool

 	// Allow for backing up up to 4 runes. This is necessary because TOML
 	// contains 3-rune tokens (""" and ''').
@@ -87,13 +88,14 @@ func (lx *lexer) nextItem() item {
 	}
 }

-func lex(input string) *lexer {
+func lex(input string, tomlNext bool) *lexer {
 	lx := &lexer{
-		input: input,
-		state: lexTop,
-		items: make(chan item, 10),
-		stack: make([]stateFn, 0, 10),
-		line:  1,
+		input:    input,
+		state:    lexTop,
+		items:    make(chan item, 10),
+		stack:    make([]stateFn, 0, 10),
+		line:     1,
+		tomlNext: tomlNext,
 	}
 	return lx
 }
@@ -408,7 +410,7 @@ func lexTableNameEnd(lx *lexer) stateFn {
 // Lexes only one part, e.g. only 'a' inside 'a.b'.
 func lexBareName(lx *lexer) stateFn {
 	r := lx.next()
-	if isBareKeyChar(r) {
+	if isBareKeyChar(r, lx.tomlNext) {
 		return lexBareName
 	}
 	lx.backup()
@@ -618,6 +620,9 @@ func lexInlineTableValue(lx *lexer) stateFn {
 	case isWhitespace(r):
 		return lexSkip(lx, lexInlineTableValue)
 	case isNL(r):
+		if lx.tomlNext {
+			return lexSkip(lx, lexInlineTableValue)
+		}
 		return lx.errorPrevLine(errLexInlineTableNL{})
 	case r == '#':
 		lx.push(lexInlineTableValue)
@@ -640,6 +645,9 @@ func lexInlineTableValueEnd(lx *lexer) stateFn {
 	case isWhitespace(r):
 		return lexSkip(lx, lexInlineTableValueEnd)
 	case isNL(r):
+		if lx.tomlNext {
+			return lexSkip(lx, lexInlineTableValueEnd)
+		}
 		return lx.errorPrevLine(errLexInlineTableNL{})
 	case r == '#':
 		lx.push(lexInlineTableValueEnd)
@@ -648,6 +656,9 @@ func lexInlineTableValueEnd(lx *lexer) stateFn {
 		lx.ignore()
 		lx.skip(isWhitespace)
 		if lx.peek() == '}' {
+			if lx.tomlNext {
+				return lexInlineTableValueEnd
+			}
 			return lx.errorf("trailing comma not allowed in inline tables")
 		}
 		return lexInlineTableValue
@@ -770,8 +781,8 @@ func lexRawString(lx *lexer) stateFn {
 	}
 }

-// lexMultilineRawString consumes a raw string. Nothing can be escaped in such
-// a string. It assumes that the beginning ''' has already been consumed and
+// lexMultilineRawString consumes a raw string. Nothing can be escaped in such a
+// string. It assumes that the beginning triple-' has already been consumed and
 // ignored.
 func lexMultilineRawString(lx *lexer) stateFn {
 	r := lx.next()
@@ -828,6 +839,11 @@ func lexMultilineStringEscape(lx *lexer) stateFn {
 func lexStringEscape(lx *lexer) stateFn {
 	r := lx.next()
 	switch r {
+	case 'e':
+		if !lx.tomlNext {
+			return lx.error(errLexEscape{r})
+		}
+		fallthrough
 	case 'b':
 		fallthrough
 	case 't':
@@ -846,6 +862,11 @@ func lexStringEscape(lx *lexer) stateFn {
 		fallthrough
 	case '\\':
 		return lx.pop()
+	case 'x':
+		if !lx.tomlNext {
+			return lx.error(errLexEscape{r})
+		}
+		return lexHexEscape
 	case 'u':
 		return lexShortUnicodeEscape
 	case 'U':
@@ -854,6 +875,19 @@ func lexStringEscape(lx *lexer) stateFn {
 	return lx.error(errLexEscape{r})
 }

+func lexHexEscape(lx *lexer) stateFn {
+	var r rune
+	for i := 0; i < 2; i++ {
+		r = lx.next()
+		if !isHexadecimal(r) {
+			return lx.errorf(
+				`expected two hexadecimal digits after '\x', but got %q instead`,
+				lx.current())
+		}
+	}
+	return lx.pop()
+}
+
 func lexShortUnicodeEscape(lx *lexer) stateFn {
 	var r rune
 	for i := 0; i < 4; i++ {
@@ -1225,7 +1259,23 @@ func isOctal(r rune) bool  { return r >= '0' && r <= '7' }
 func isHexadecimal(r rune) bool {
 	return (r >= '0' && r <= '9') || (r >= 'a' && r <= 'f') || (r >= 'A' && r <= 'F')
 }
-func isBareKeyChar(r rune) bool {
+
+func isBareKeyChar(r rune, tomlNext bool) bool {
+	if tomlNext {
+		return (r >= 'A' && r <= 'Z') ||
+			(r >= 'a' && r <= 'z') ||
+			(r >= '0' && r <= '9') ||
+			r == '_' || r == '-' ||
+			r == 0xb2 || r == 0xb3 || r == 0xb9 || (r >= 0xbc && r <= 0xbe) ||
+			(r >= 0xc0 && r <= 0xd6) || (r >= 0xd8 && r <= 0xf6) || (r >= 0xf8 && r <= 0x037d) ||
+			(r >= 0x037f && r <= 0x1fff) ||
+			(r >= 0x200c && r <= 0x200d) || (r >= 0x203f && r <= 0x2040) ||
+			(r >= 0x2070 && r <= 0x218f) || (r >= 0x2460 && r <= 0x24ff) ||
+			(r >= 0x2c00 && r <= 0x2fef) || (r >= 0x3001 && r <= 0xd7ff) ||
+			(r >= 0xf900 && r <= 0xfdcf) || (r >= 0xfdf0 && r <= 0xfffd) ||
+			(r >= 0x10000 && r <= 0xeffff)
+	}
+
 	return (r >= 'A' && r <= 'Z') ||
 		(r >= 'a' && r <= 'z') ||
 		(r >= '0' && r <= '9') ||
--- a/vendor/github.com/BurntSushi/toml/meta.go
+++ b/vendor/github.com/BurntSushi/toml/meta.go
@@ -106,7 +106,7 @@ func (k Key) maybeQuoted(i int) string {
 		return `""`
 	}
 	for _, c := range k[i] {
-		if !isBareKeyChar(c) {
+		if !isBareKeyChar(c, false) {
 			return `"` + dblQuotedReplacer.Replace(k[i]) + `"`
 		}
 	}
--- a/vendor/github.com/BurntSushi/toml/parse.go
+++ b/vendor/github.com/BurntSushi/toml/parse.go
@@ -2,6 +2,7 @@ package toml

 import (
 	"fmt"
+	"os"
 	"strconv"
 	"strings"
 	"time"
@@ -15,6 +16,7 @@ type parser struct {
 	context    Key      // Full key for the current hash in scope.
 	currentKey string   // Base key name for everything except hashes.
 	pos        Position // Current position in the TOML file.
+	tomlNext   bool

 	ordered []Key // List of keys in the order that they appear in the TOML data.

@@ -29,6 +31,8 @@ type keyInfo struct {
 }

 func parse(data string) (p *parser, err error) {
+	_, tomlNext := os.LookupEnv("BURNTSUSHI_TOML_110")
+
 	defer func() {
 		if r := recover(); r != nil {
 			if pErr, ok := r.(ParseError); ok {
@@ -41,9 +45,12 @@ func parse(data string) (p *parser, err error) {
 	}()

 	// Read over BOM; do this here as the lexer calls utf8.DecodeRuneInString()
-	// which mangles stuff.
-	if strings.HasPrefix(data, "\xff\xfe") || strings.HasPrefix(data, "\xfe\xff") {
+	// which mangles stuff. UTF-16 BOM isn't strictly valid, but some tools add
+	// it anyway.
+	if strings.HasPrefix(data, "\xff\xfe") || strings.HasPrefix(data, "\xfe\xff") { // UTF-16
 		data = data[2:]
+	} else if strings.HasPrefix(data, "\xef\xbb\xbf") { // UTF-8
+		data = data[3:]
 	}

 	// Examine first few bytes for NULL bytes; this probably means it's a UTF-16
@@ -65,9 +72,10 @@ func parse(data string) (p *parser, err error) {
 	p = &parser{
 		keyInfo:   make(map[string]keyInfo),
 		mapping:   make(map[string]interface{}),
-		lx:        lex(data),
+		lx:        lex(data, tomlNext),
 		ordered:   make([]Key, 0),
 		implicits: make(map[string]struct{}),
+		tomlNext:  tomlNext,
 	}
 	for {
 		item := p.next()
@@ -194,12 +202,12 @@ func (p *parser) topLevel(item item) {
 		for i := range context {
 			p.addImplicitContext(append(p.context, context[i:i+1]...))
 		}
+		p.ordered = append(p.ordered, p.context.add(p.currentKey))

 		/// Set value.
 		vItem := p.next()
 		val, typ := p.value(vItem, false)
 		p.set(p.currentKey, val, typ, vItem.pos)
-		p.ordered = append(p.ordered, p.context.add(p.currentKey))

 		/// Remove the context we added (preserving any context from [tbl] lines).
 		p.context = outerContext
@@ -236,7 +244,7 @@ func (p *parser) value(it item, parentIsArray bool) (interface{}, tomlType) {
 	case itemString:
 		return p.replaceEscapes(it, it.val), p.typeOfPrimitive(it)
 	case itemMultilineString:
-		return p.replaceEscapes(it, stripFirstNewline(p.stripEscapedNewlines(it.val))), p.typeOfPrimitive(it)
+		return p.replaceEscapes(it, p.stripEscapedNewlines(stripFirstNewline(it.val))), p.typeOfPrimitive(it)
 	case itemRawString:
 		return it.val, p.typeOfPrimitive(it)
 	case itemRawMultilineString:
@@ -331,11 +339,17 @@ func (p *parser) valueFloat(it item) (interface{}, tomlType) {
 var dtTypes = []struct {
 	fmt  string
 	zone *time.Location
+	next bool
 }{
-	{time.RFC3339Nano, time.Local},
-	{"2006-01-02T15:04:05.999999999", internal.LocalDatetime},
-	{"2006-01-02", internal.LocalDate},
-	{"15:04:05.999999999", internal.LocalTime},
+	{time.RFC3339Nano, time.Local, false},
+	{"2006-01-02T15:04:05.999999999", internal.LocalDatetime, false},
+	{"2006-01-02", internal.LocalDate, false},
+	{"15:04:05.999999999", internal.LocalTime, false},
+
+	// tomlNext
+	{"2006-01-02T15:04Z07:00", time.Local, true},
+	{"2006-01-02T15:04", internal.LocalDatetime, true},
+	{"15:04", internal.LocalTime, true},
 }

 func (p *parser) valueDatetime(it item) (interface{}, tomlType) {
@@ -346,6 +360,9 @@ func (p *parser) valueDatetime(it item) (interface{}, tomlType) {
 		err error
 	)
 	for _, dt := range dtTypes {
+		if dt.next && !p.tomlNext {
+			continue
+		}
 		t, err = time.ParseInLocation(dt.fmt, it.val, dt.zone)
 		if err == nil {
 			ok = true
@@ -384,6 +401,7 @@ func (p *parser) valueArray(it item) (interface{}, tomlType) {
 		//
 		// Not entirely sure how to best store this; could use "key[0]",
 		// "key[1]" notation, or maybe store it on the Array type?
+		_ = types
 	}
 	return array, tomlArray
 }
@@ -426,11 +444,11 @@ func (p *parser) valueInlineTable(it item, parentIsArray bool) (interface{}, tom
 		for i := range context {
 			p.addImplicitContext(append(p.context, context[i:i+1]...))
 		}
+		p.ordered = append(p.ordered, p.context.add(p.currentKey))

 		/// Set the value.
 		val, typ := p.value(p.next(), false)
 		p.set(p.currentKey, val, typ, it.pos)
-		p.ordered = append(p.ordered, p.context.add(p.currentKey))
 		hash[p.currentKey] = val

 		/// Restore context.
@@ -551,7 +569,6 @@ func (p *parser) addContext(key Key, array bool) {
 func (p *parser) set(key string, val interface{}, typ tomlType, pos Position) {
 	p.setValue(key, val)
 	p.setType(key, typ, pos)
-
 }

 // setValue sets the given key to the given value in the current context.
@@ -632,14 +649,11 @@ func (p *parser) setType(key string, typ tomlType, pos Position) {

 // Implicit keys need to be created when tables are implied in "a.b.c.d = 1" and
 // "[a.b.c]" (the "a", "b", and "c" hashes are never created explicitly).
-func (p *parser) addImplicit(key Key)     { p.implicits[key.String()] = struct{}{} }
-func (p *parser) removeImplicit(key Key)  { delete(p.implicits, key.String()) }
-func (p *parser) isImplicit(key Key) bool { _, ok := p.implicits[key.String()]; return ok }
-func (p *parser) isArray(key Key) bool    { return p.keyInfo[key.String()].tomlType == tomlArray }
-func (p *parser) addImplicitContext(key Key) {
-	p.addImplicit(key)
-	p.addContext(key, false)
-}
+func (p *parser) addImplicit(key Key)        { p.implicits[key.String()] = struct{}{} }
+func (p *parser) removeImplicit(key Key)     { delete(p.implicits, key.String()) }
+func (p *parser) isImplicit(key Key) bool    { _, ok := p.implicits[key.String()]; return ok }
+func (p *parser) isArray(key Key) bool       { return p.keyInfo[key.String()].tomlType == tomlArray }
+func (p *parser) addImplicitContext(key Key) { p.addImplicit(key); p.addContext(key, false) }

 // current returns the full key name of the current context.
 func (p *parser) current() string {
@@ -662,49 +676,54 @@ func stripFirstNewline(s string) string {
 	return s
 }

-// Remove newlines inside triple-quoted strings if a line ends with "\".
+// stripEscapedNewlines removes whitespace after line-ending backslashes in
+// multiline strings.
+//
+// A line-ending backslash is an unescaped \ followed only by whitespace until
+// the next newline. After a line-ending backslash, all whitespace is removed
+// until the next non-whitespace character.
 func (p *parser) stripEscapedNewlines(s string) string {
-	split := strings.Split(s, "\n")
-	if len(split) < 1 {
-		return s
-	}
+	var b strings.Builder
+	var i int
+	for {
+		ix := strings.Index(s[i:], `\`)
+		if ix < 0 {
+			b.WriteString(s)
+			return b.String()
+		}
+		i += ix

-	escNL := false // Keep track of the last non-blank line was escaped.
-	for i, line := range split {
-		line = strings.TrimRight(line, " \t\r")
-
-		if len(line) == 0 || line[len(line)-1] != '\\' {
-			split[i] = strings.TrimRight(split[i], "\r")
-			if !escNL && i != len(split)-1 {
-				split[i] += "\n"
+		if len(s) > i+1 && s[i+1] == '\\' {
+			// Escaped backslash.
+			i += 2
+			continue
+		}
+		// Scan until the next non-whitespace.
+		j := i + 1
+	whitespaceLoop:
+		for ; j < len(s); j++ {
+			switch s[j] {
+			case ' ', '\t', '\r', '\n':
+			default:
+				break whitespaceLoop
 			}
+		}
+		if j == i+1 {
+			// Not a whitespace escape.
+			i++
 			continue
 		}
-
-		escBS := true
-		for j := len(line) - 1; j >= 0 && line[j] == '\\'; j-- {
-			escBS = !escBS
-		}
-		if escNL {
-			line = strings.TrimLeft(line, " \t\r")
-		}
-		escNL = !escBS
-
-		if escBS {
-			split[i] += "\n"
+		if !strings.Contains(s[i:j], "\n") {
+			// This is not a line-ending backslash.
+			// (It's a bad escape sequence, but we can let
+			// replaceEscapes catch it.)
+			i++
 			continue
 		}
-
-		if i == len(split)-1 {
-			p.panicf("invalid escape: '\\ '")
-		}
-
-		split[i] = line[:len(line)-1] // Remove \
-		if len(split)-1 > i {
-			split[i+1] = strings.TrimLeft(split[i+1], " \t\r")
-		}
+		b.WriteString(s[:i])
+		s = s[j:]
+		i = 0
 	}
-	return strings.Join(split, "")
 }

 func (p *parser) replaceEscapes(it item, str string) string {
@@ -743,12 +762,23 @@ func (p *parser) replaceEscapes(it item, str string) string {
 		case 'r':
 			replaced = append(replaced, rune(0x000D))
 			r += 1
+		case 'e':
+			if p.tomlNext {
+				replaced = append(replaced, rune(0x001B))
+				r += 1
+			}
 		case '"':
 			replaced = append(replaced, rune(0x0022))
 			r += 1
 		case '\\':
 			replaced = append(replaced, rune(0x005C))
 			r += 1
+		case 'x':
+			if p.tomlNext {
+				escaped := p.asciiEscapeToUnicode(it, s[r+1:r+3])
+				replaced = append(replaced, escaped)
+				r += 3
+			}
 		case 'u':
 			// At this point, we know we have a Unicode escape of the form
 			// `uXXXX` at [r, r+5). (Because the lexer guarantees this
--- a/vendor/github.com/Masterminds/semver/v3/.gitignore
+++ b/vendor/github.com/Masterminds/semver/v3/.gitignore
@@ -0,0 +1 @@
+_fuzz/
--- a/vendor/github.com/Masterminds/semver/v3/.golangci.yml
+++ b/vendor/github.com/Masterminds/semver/v3/.golangci.yml
@@ -0,0 +1,27 @@
+run:
+  deadline: 2m
+
+linters:
+  disable-all: true
+  enable:
+    - misspell
+    - govet
+    - staticcheck
+    - errcheck
+    - unparam
+    - ineffassign
+    - nakedret
+    - gocyclo
+    - dupl
+    - goimports
+    - revive
+    - gosec
+    - gosimple
+    - typecheck
+    - unused
+
+linters-settings:
+  gofmt:
+    simplify: true
+  dupl:
+    threshold: 600
--- a/vendor/github.com/Masterminds/semver/v3/CHANGELOG.md
+++ b/vendor/github.com/Masterminds/semver/v3/CHANGELOG.md
@@ -0,0 +1,214 @@
+# Changelog
+
+## 3.2.0 (2022-11-28)
+
+### Added
+
+- #190: Added text marshaling and unmarshaling
+- #167: Added JSON marshalling for constraints (thanks @SimonTheLeg)
+- #173: Implement encoding.TextMarshaler and encoding.TextUnmarshaler on Version (thanks @MarkRosemaker)
+- #179: Added New() version constructor (thanks @kazhuravlev)
+
+### Changed
+
+- #182/#183: Updated CI testing setup
+
+### Fixed
+
+- #186: Fixing issue where validation of constraint section gave false positives
+- #176: Fix constraints check with *-0 (thanks @mtt0)
+- #181: Fixed Caret operator (^) gives unexpected results when the minor version in constraint is 0 (thanks @arshchimni)
+- #161: Fixed godoc (thanks @afirth)
+
+## 3.1.1 (2020-11-23)
+
+### Fixed
+
+- #158: Fixed issue with generated regex operation order that could cause problem
+
+## 3.1.0 (2020-04-15)
+
+### Added
+
+- #131: Add support for serializing/deserializing SQL (thanks @ryancurrah)
+
+### Changed
+
+- #148: More accurate validation messages on constraints
+
+## 3.0.3 (2019-12-13)
+
+### Fixed
+
+- #141: Fixed issue with <= comparison
+
+## 3.0.2 (2019-11-14)
+
+### Fixed
+
+- #134: Fixed broken constraint checking with ^0.0 (thanks @krmichelos)
+
+## 3.0.1 (2019-09-13)
+
+### Fixed
+
+- #125: Fixes issue with module path for v3
+
+## 3.0.0 (2019-09-12)
+
+This is a major release of the semver package which includes API changes. The Go
+API is compatible with ^1. The Go API was not changed because many people are using
+`go get` without Go modules for their applications and API breaking changes cause
+errors which we have or would need to support.
+
+The changes in this release are the handling based on the data passed into the
+functions. These are described in the added and changed sections below.
+
+### Added
+
+- StrictNewVersion function. This is similar to NewVersion but will return an
+  error if the version passed in is not a strict semantic version. For example,
+  1.2.3 would pass but v1.2.3 or 1.2 would fail because they are not strictly
+  speaking semantic versions. This function is faster, performs fewer operations,
+  and uses fewer allocations than NewVersion.
+- Fuzzing has been performed on NewVersion, StrictNewVersion, and NewConstraint.
+  The Makefile contains the operations used. For more information on you can start
+  on Wikipedia at https://en.wikipedia.org/wiki/Fuzzing
+- Now using Go modules
+
+### Changed
+
+- NewVersion has proper prerelease and metadata validation with error messages
+  to signal an issue with either of them
+- ^ now operates using a similar set of rules to npm/js and Rust/Cargo. If the
+  version is >=1 the ^ ranges works the same as v1. For major versions of 0 the
+  rules have changed. The minor version is treated as the stable version unless
+  a patch is specified and then it is equivalent to =. One difference from npm/js
+  is that prereleases there are only to a specific version (e.g. 1.2.3).
+  Prereleases here look over multiple versions and follow semantic version
+  ordering rules. This pattern now follows along with the expected and requested
+  handling of this packaged by numerous users.
+
+## 1.5.0 (2019-09-11)
+
+### Added
+
+- #103: Add basic fuzzing for `NewVersion()` (thanks @jesse-c)
+
+### Changed
+
+- #82: Clarify wildcard meaning in range constraints and update tests for it (thanks @greysteil)
+- #83: Clarify caret operator range for pre-1.0.0 dependencies (thanks @greysteil)
+- #72: Adding docs comment pointing to vert for a cli
+- #71: Update the docs on pre-release comparator handling
+- #89: Test with new go versions (thanks @thedevsaddam)
+- #87: Added $ to ValidPrerelease for better validation (thanks @jeremycarroll)
+
+### Fixed
+
+- #78: Fix unchecked error in example code (thanks @ravron)
+- #70: Fix the handling of pre-releases and the 0.0.0 release edge case
+- #97: Fixed copyright file for proper display on GitHub
+- #107: Fix handling prerelease when sorting alphanum and num 
+- #109: Fixed where Validate sometimes returns wrong message on error
+
+## 1.4.2 (2018-04-10)
+
+### Changed
+
+- #72: Updated the docs to point to vert for a console appliaction
+- #71: Update the docs on pre-release comparator handling
+
+### Fixed
+
+- #70: Fix the handling of pre-releases and the 0.0.0 release edge case
+
+## 1.4.1 (2018-04-02)
+
+### Fixed
+
+- Fixed #64: Fix pre-release precedence issue (thanks @uudashr)
+
+## 1.4.0 (2017-10-04)
+
+### Changed
+
+- #61: Update NewVersion to parse ints with a 64bit int size (thanks @zknill)
+
+## 1.3.1 (2017-07-10)
+
+### Fixed
+
+- Fixed #57: number comparisons in prerelease sometimes inaccurate
+
+## 1.3.0 (2017-05-02)
+
+### Added
+
+- #45: Added json (un)marshaling support (thanks @mh-cbon)
+- Stability marker. See https://masterminds.github.io/stability/
+
+### Fixed
+
+- #51: Fix handling of single digit tilde constraint (thanks @dgodd)
+
+### Changed
+
+- #55: The godoc icon moved from png to svg
+
+## 1.2.3 (2017-04-03)
+
+### Fixed
+
+- #46: Fixed 0.x.x and 0.0.x in constraints being treated as *
+
+## Release 1.2.2 (2016-12-13)
+
+### Fixed
+
+- #34: Fixed issue where hyphen range was not working with pre-release parsing.
+
+## Release 1.2.1 (2016-11-28)
+
+### Fixed
+
+- #24: Fixed edge case issue where constraint "> 0" does not handle "0.0.1-alpha"
+  properly.
+
+## Release 1.2.0 (2016-11-04)
+
+### Added
+
+- #20: Added MustParse function for versions (thanks @adamreese)
+- #15: Added increment methods on versions (thanks @mh-cbon)
+
+### Fixed
+
+- Issue #21: Per the SemVer spec (section 9) a pre-release is unstable and
+  might not satisfy the intended compatibility. The change here ignores pre-releases
+  on constraint checks (e.g., ~ or ^) when a pre-release is not part of the
+  constraint. For example, `^1.2.3` will ignore pre-releases while
+  `^1.2.3-alpha` will include them.
+
+## Release 1.1.1 (2016-06-30)
+
+### Changed
+
+- Issue #9: Speed up version comparison performance (thanks @sdboyer)
+- Issue #8: Added benchmarks (thanks @sdboyer)
+- Updated Go Report Card URL to new location
+- Updated Readme to add code snippet formatting (thanks @mh-cbon)
+- Updating tagging to v[SemVer] structure for compatibility with other tools.
+
+## Release 1.1.0 (2016-03-11)
+
+- Issue #2: Implemented validation to provide reasons a versions failed a
+  constraint.
+
+## Release 1.0.1 (2015-12-31)
+
+- Fixed #1: * constraint failing on valid versions.
+
+## Release 1.0.0 (2015-10-20)
+
+- Initial release
--- a/vendor/github.com/Masterminds/semver/v3/LICENSE.txt
+++ b/vendor/github.com/Masterminds/semver/v3/LICENSE.txt
@@ -1,4 +1,4 @@
-Copyright 2012 Keith Rarick
+Copyright (C) 2014-2019, Matt Butcher and Matt Farina

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/vendor/github.com/Masterminds/semver/v3/Makefile
+++ b/vendor/github.com/Masterminds/semver/v3/Makefile
@@ -0,0 +1,30 @@
+GOPATH=$(shell go env GOPATH)
+GOLANGCI_LINT=$(GOPATH)/bin/golangci-lint
+
+.PHONY: lint
+lint: $(GOLANGCI_LINT)
+	@echo "==> Linting codebase"
+	@$(GOLANGCI_LINT) run
+
+.PHONY: test
+test:
+	@echo "==> Running tests"
+	GO111MODULE=on go test -v
+
+.PHONY: test-cover
+test-cover:
+	@echo "==> Running Tests with coverage"
+	GO111MODULE=on go test -cover .
+
+.PHONY: fuzz
+fuzz:
+	@echo "==> Running Fuzz Tests"
+	go test -fuzz=FuzzNewVersion -fuzztime=15s .
+	go test -fuzz=FuzzStrictNewVersion -fuzztime=15s .
+	go test -fuzz=FuzzNewConstraint -fuzztime=15s .
+
+$(GOLANGCI_LINT):
+	# Install golangci-lint. The configuration for it is in the .golangci.yml
+	# file in the root of the repository
+	echo ${GOPATH}
+	curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(GOPATH)/bin v1.17.1
--- a/vendor/github.com/Masterminds/semver/v3/README.md
+++ b/vendor/github.com/Masterminds/semver/v3/README.md
@@ -0,0 +1,258 @@
+# SemVer
+
+The `semver` package provides the ability to work with [Semantic Versions](http://semver.org) in Go. Specifically it provides the ability to:
+
+* Parse semantic versions
+* Sort semantic versions
+* Check if a semantic version fits within a set of constraints
+* Optionally work with a `v` prefix
+
+[![Stability:
+Active](https://masterminds.github.io/stability/active.svg)](https://masterminds.github.io/stability/active.html)
+[![](https://github.com/Masterminds/semver/workflows/Tests/badge.svg)](https://github.com/Masterminds/semver/actions)
+[![GoDoc](https://img.shields.io/static/v1?label=godoc&message=reference&color=blue)](https://pkg.go.dev/github.com/Masterminds/semver/v3)
+[![Go Report Card](https://goreportcard.com/badge/github.com/Masterminds/semver)](https://goreportcard.com/report/github.com/Masterminds/semver)
+
+If you are looking for a command line tool for version comparisons please see
+[vert](https://github.com/Masterminds/vert) which uses this library.
+
+## Package Versions
+
+Note, import `github.com/github.com/Masterminds/semver/v3` to use the latest version.
+
+There are three major versions fo the `semver` package.
+
+* 3.x.x is the stable and active version. This version is focused on constraint
+  compatibility for range handling in other tools from other languages. It has
+  a similar API to the v1 releases. The development of this version is on the master
+  branch. The documentation for this version is below.
+* 2.x was developed primarily for [dep](https://github.com/golang/dep). There are
+  no tagged releases and the development was performed by [@sdboyer](https://github.com/sdboyer).
+  There are API breaking changes from v1. This version lives on the [2.x branch](https://github.com/Masterminds/semver/tree/2.x).
+* 1.x.x is the original release. It is no longer maintained. You should use the
+  v3 release instead. You can read the documentation for the 1.x.x release
+  [here](https://github.com/Masterminds/semver/blob/release-1/README.md).
+
+## Parsing Semantic Versions
+
+There are two functions that can parse semantic versions. The `StrictNewVersion`
+function only parses valid version 2 semantic versions as outlined in the
+specification. The `NewVersion` function attempts to coerce a version into a
+semantic version and parse it. For example, if there is a leading v or a version
+listed without all 3 parts (e.g. `v1.2`) it will attempt to coerce it into a valid
+semantic version (e.g., 1.2.0). In both cases a `Version` object is returned
+that can be sorted, compared, and used in constraints.
+
+When parsing a version an error is returned if there is an issue parsing the
+version. For example,
+
+    v, err := semver.NewVersion("1.2.3-beta.1+build345")
+
+The version object has methods to get the parts of the version, compare it to
+other versions, convert the version back into a string, and get the original
+string. Getting the original string is useful if the semantic version was coerced
+into a valid form.
+
+## Sorting Semantic Versions
+
+A set of versions can be sorted using the `sort` package from the standard library.
+For example,
+
+```go
+raw := []string{"1.2.3", "1.0", "1.3", "2", "0.4.2",}
+vs := make([]*semver.Version, len(raw))
+for i, r := range raw {
+    v, err := semver.NewVersion(r)
+    if err != nil {
+        t.Errorf("Error parsing version: %s", err)
+    }
+
+    vs[i] = v
+}
+
+sort.Sort(semver.Collection(vs))
+```
+
+## Checking Version Constraints
+
+There are two methods for comparing versions. One uses comparison methods on
+`Version` instances and the other uses `Constraints`. There are some important
+differences to notes between these two methods of comparison.
+
+1. When two versions are compared using functions such as `Compare`, `LessThan`,
+   and others it will follow the specification and always include prereleases
+   within the comparison. It will provide an answer that is valid with the
+   comparison section of the spec at https://semver.org/#spec-item-11
+2. When constraint checking is used for checks or validation it will follow a
+   different set of rules that are common for ranges with tools like npm/js
+   and Rust/Cargo. This includes considering prereleases to be invalid if the
+   ranges does not include one. If you want to have it include pre-releases a
+   simple solution is to include `-0` in your range.
+3. Constraint ranges can have some complex rules including the shorthand use of
+   ~ and ^. For more details on those see the options below.
+
+There are differences between the two methods or checking versions because the
+comparison methods on `Version` follow the specification while comparison ranges
+are not part of the specification. Different packages and tools have taken it
+upon themselves to come up with range rules. This has resulted in differences.
+For example, npm/js and Cargo/Rust follow similar patterns while PHP has a
+different pattern for ^. The comparison features in this package follow the
+npm/js and Cargo/Rust lead because applications using it have followed similar
+patters with their versions.
+
+Checking a version against version constraints is one of the most featureful
+parts of the package.
+
+```go
+c, err := semver.NewConstraint(">= 1.2.3")
+if err != nil {
+    // Handle constraint not being parsable.
+}
+
+v, err := semver.NewVersion("1.3")
+if err != nil {
+    // Handle version not being parsable.
+}
+// Check if the version meets the constraints. The a variable will be true.
+a := c.Check(v)
+```
+
+### Basic Comparisons
+
+There are two elements to the comparisons. First, a comparison string is a list
+of space or comma separated AND comparisons. These are then separated by || (OR)
+comparisons. For example, `">= 1.2 < 3.0.0 || >= 4.2.3"` is looking for a
+comparison that's greater than or equal to 1.2 and less than 3.0.0 or is
+greater than or equal to 4.2.3.
+
+The basic comparisons are:
+
+* `=`: equal (aliased to no operator)
+* `!=`: not equal
+* `>`: greater than
+* `<`: less than
+* `>=`: greater than or equal to
+* `<=`: less than or equal to
+
+### Working With Prerelease Versions
+
+Pre-releases, for those not familiar with them, are used for software releases
+prior to stable or generally available releases. Examples of prereleases include
+development, alpha, beta, and release candidate releases. A prerelease may be
+a version such as `1.2.3-beta.1` while the stable release would be `1.2.3`. In the
+order of precedence, prereleases come before their associated releases. In this
+example `1.2.3-beta.1 < 1.2.3`.
+
+According to the Semantic Version specification prereleases may not be
+API compliant with their release counterpart. It says,
+
+> A pre-release version indicates that the version is unstable and might not satisfy the intended compatibility requirements as denoted by its associated normal version.
+
+SemVer comparisons using constraints without a prerelease comparator will skip
+prerelease versions. For example, `>=1.2.3` will skip prereleases when looking
+at a list of releases while `>=1.2.3-0` will evaluate and find prereleases.
+
+The reason for the `0` as a pre-release version in the example comparison is
+because pre-releases can only contain ASCII alphanumerics and hyphens (along with
+`.` separators), per the spec. Sorting happens in ASCII sort order, again per the
+spec. The lowest character is a `0` in ASCII sort order
+(see an [ASCII Table](http://www.asciitable.com/))
+
+Understanding ASCII sort ordering is important because A-Z comes before a-z. That
+means `>=1.2.3-BETA` will return `1.2.3-alpha`. What you might expect from case
+sensitivity doesn't apply here. This is due to ASCII sort ordering which is what
+the spec specifies.
+
+### Hyphen Range Comparisons
+
+There are multiple methods to handle ranges and the first is hyphens ranges.
+These look like:
+
+* `1.2 - 1.4.5` which is equivalent to `>= 1.2 <= 1.4.5`
+* `2.3.4 - 4.5` which is equivalent to `>= 2.3.4 <= 4.5`
+
+### Wildcards In Comparisons
+
+The `x`, `X`, and `*` characters can be used as a wildcard character. This works
+for all comparison operators. When used on the `=` operator it falls
+back to the patch level comparison (see tilde below). For example,
+
+* `1.2.x` is equivalent to `>= 1.2.0, < 1.3.0`
+* `>= 1.2.x` is equivalent to `>= 1.2.0`
+* `<= 2.x` is equivalent to `< 3`
+* `*` is equivalent to `>= 0.0.0`
+
+### Tilde Range Comparisons (Patch)
+
+The tilde (`~`) comparison operator is for patch level ranges when a minor
+version is specified and major level changes when the minor number is missing.
+For example,
+
+* `~1.2.3` is equivalent to `>= 1.2.3, < 1.3.0`
+* `~1` is equivalent to `>= 1, < 2`
+* `~2.3` is equivalent to `>= 2.3, < 2.4`
+* `~1.2.x` is equivalent to `>= 1.2.0, < 1.3.0`
+* `~1.x` is equivalent to `>= 1, < 2`
+
+### Caret Range Comparisons (Major)
+
+The caret (`^`) comparison operator is for major level changes once a stable
+(1.0.0) release has occurred. Prior to a 1.0.0 release the minor versions acts
+as the API stability level. This is useful when comparisons of API versions as a
+major change is API breaking. For example,
+
+* `^1.2.3` is equivalent to `>= 1.2.3, < 2.0.0`
+* `^1.2.x` is equivalent to `>= 1.2.0, < 2.0.0`
+* `^2.3` is equivalent to `>= 2.3, < 3`
+* `^2.x` is equivalent to `>= 2.0.0, < 3`
+* `^0.2.3` is equivalent to `>=0.2.3 <0.3.0`
+* `^0.2` is equivalent to `>=0.2.0 <0.3.0`
+* `^0.0.3` is equivalent to `>=0.0.3 <0.0.4`
+* `^0.0` is equivalent to `>=0.0.0 <0.1.0`
+* `^0` is equivalent to `>=0.0.0 <1.0.0`
+
+## Validation
+
+In addition to testing a version against a constraint, a version can be validated
+against a constraint. When validation fails a slice of errors containing why a
+version didn't meet the constraint is returned. For example,
+
+```go
+c, err := semver.NewConstraint("<= 1.2.3, >= 1.4")
+if err != nil {
+    // Handle constraint not being parseable.
+}
+
+v, err := semver.NewVersion("1.3")
+if err != nil {
+    // Handle version not being parseable.
+}
+
+// Validate a version against a constraint.
+a, msgs := c.Validate(v)
+// a is false
+for _, m := range msgs {
+    fmt.Println(m)
+
+    // Loops over the errors which would read
+    // "1.3 is greater than 1.2.3"
+    // "1.3 is less than 1.4"
+}
+```
+
+## Contribute
+
+If you find an issue or want to contribute please file an [issue](https://github.com/Masterminds/semver/issues)
+or [create a pull request](https://github.com/Masterminds/semver/pulls).
+
+## Security
+
+Security is an important consideration for this project. The project currently
+uses the following tools to help discover security issues:
+
+* [CodeQL](https://github.com/Masterminds/semver)
+* [gosec](https://github.com/securego/gosec)
+* Daily Fuzz testing
+
+If you believe you have found a security vulnerability you can privately disclose
+it through the [GitHub security page](https://github.com/Masterminds/semver/security).
--- a/vendor/github.com/Masterminds/semver/v3/SECURITY.md
+++ b/vendor/github.com/Masterminds/semver/v3/SECURITY.md
@@ -0,0 +1,19 @@
+# Security Policy
+
+## Supported Versions
+
+The following versions of semver are currently supported:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 3.x     | :white_check_mark: |
+| 2.x     | :x:                |
+| 1.x     | :x:                |
+
+Fixes are only released for the latest minor version in the form of a patch release.
+
+## Reporting a Vulnerability
+
+You can privately disclose a vulnerability through GitHubs
+[private vulnerability reporting](https://github.com/Masterminds/semver/security/advisories)
+mechanism.
--- a/vendor/github.com/Masterminds/semver/v3/collection.go
+++ b/vendor/github.com/Masterminds/semver/v3/collection.go
@@ -0,0 +1,24 @@
+package semver
+
+// Collection is a collection of Version instances and implements the sort
+// interface. See the sort package for more details.
+// https://golang.org/pkg/sort/
+type Collection []*Version
+
+// Len returns the length of a collection. The number of Version instances
+// on the slice.
+func (c Collection) Len() int {
+	return len(c)
+}
+
+// Less is needed for the sort interface to compare two Version objects on the
+// slice. If checks if one is less than the other.
+func (c Collection) Less(i, j int) bool {
+	return c[i].LessThan(c[j])
+}
+
+// Swap is needed for the sort interface to replace the Version objects
+// at two different positions in the slice.
+func (c Collection) Swap(i, j int) {
+	c[i], c[j] = c[j], c[i]
+}
--- a/vendor/github.com/Masterminds/semver/v3/constraints.go
+++ b/vendor/github.com/Masterminds/semver/v3/constraints.go
@@ -0,0 +1,594 @@
+package semver
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"regexp"
+	"strings"
+)
+
+// Constraints is one or more constraint that a semantic version can be
+// checked against.
+type Constraints struct {
+	constraints [][]*constraint
+}
+
+// NewConstraint returns a Constraints instance that a Version instance can
+// be checked against. If there is a parse error it will be returned.
+func NewConstraint(c string) (*Constraints, error) {
+
+	// Rewrite - ranges into a comparison operation.
+	c = rewriteRange(c)
+
+	ors := strings.Split(c, "||")
+	or := make([][]*constraint, len(ors))
+	for k, v := range ors {
+
+		// TODO: Find a way to validate and fetch all the constraints in a simpler form
+
+		// Validate the segment
+		if !validConstraintRegex.MatchString(v) {
+			return nil, fmt.Errorf("improper constraint: %s", v)
+		}
+
+		cs := findConstraintRegex.FindAllString(v, -1)
+		if cs == nil {
+			cs = append(cs, v)
+		}
+		result := make([]*constraint, len(cs))
+		for i, s := range cs {
+			pc, err := parseConstraint(s)
+			if err != nil {
+				return nil, err
+			}
+
+			result[i] = pc
+		}
+		or[k] = result
+	}
+
+	o := &Constraints{constraints: or}
+	return o, nil
+}
+
+// Check tests if a version satisfies the constraints.
+func (cs Constraints) Check(v *Version) bool {
+	// TODO(mattfarina): For v4 of this library consolidate the Check and Validate
+	// functions as the underlying functions make that possible now.
+	// loop over the ORs and check the inner ANDs
+	for _, o := range cs.constraints {
+		joy := true
+		for _, c := range o {
+			if check, _ := c.check(v); !check {
+				joy = false
+				break
+			}
+		}
+
+		if joy {
+			return true
+		}
+	}
+
+	return false
+}
+
+// Validate checks if a version satisfies a constraint. If not a slice of
+// reasons for the failure are returned in addition to a bool.
+func (cs Constraints) Validate(v *Version) (bool, []error) {
+	// loop over the ORs and check the inner ANDs
+	var e []error
+
+	// Capture the prerelease message only once. When it happens the first time
+	// this var is marked
+	var prerelesase bool
+	for _, o := range cs.constraints {
+		joy := true
+		for _, c := range o {
+			// Before running the check handle the case there the version is
+			// a prerelease and the check is not searching for prereleases.
+			if c.con.pre == "" && v.pre != "" {
+				if !prerelesase {
+					em := fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+					e = append(e, em)
+					prerelesase = true
+				}
+				joy = false
+
+			} else {
+
+				if _, err := c.check(v); err != nil {
+					e = append(e, err)
+					joy = false
+				}
+			}
+		}
+
+		if joy {
+			return true, []error{}
+		}
+	}
+
+	return false, e
+}
+
+func (cs Constraints) String() string {
+	buf := make([]string, len(cs.constraints))
+	var tmp bytes.Buffer
+
+	for k, v := range cs.constraints {
+		tmp.Reset()
+		vlen := len(v)
+		for kk, c := range v {
+			tmp.WriteString(c.string())
+
+			// Space separate the AND conditions
+			if vlen > 1 && kk < vlen-1 {
+				tmp.WriteString(" ")
+			}
+		}
+		buf[k] = tmp.String()
+	}
+
+	return strings.Join(buf, " || ")
+}
+
+// UnmarshalText implements the encoding.TextUnmarshaler interface.
+func (cs *Constraints) UnmarshalText(text []byte) error {
+	temp, err := NewConstraint(string(text))
+	if err != nil {
+		return err
+	}
+
+	*cs = *temp
+
+	return nil
+}
+
+// MarshalText implements the encoding.TextMarshaler interface.
+func (cs Constraints) MarshalText() ([]byte, error) {
+	return []byte(cs.String()), nil
+}
+
+var constraintOps map[string]cfunc
+var constraintRegex *regexp.Regexp
+var constraintRangeRegex *regexp.Regexp
+
+// Used to find individual constraints within a multi-constraint string
+var findConstraintRegex *regexp.Regexp
+
+// Used to validate an segment of ANDs is valid
+var validConstraintRegex *regexp.Regexp
+
+const cvRegex string = `v?([0-9|x|X|\*]+)(\.[0-9|x|X|\*]+)?(\.[0-9|x|X|\*]+)?` +
+	`(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?` +
+	`(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?`
+
+func init() {
+	constraintOps = map[string]cfunc{
+		"":   constraintTildeOrEqual,
+		"=":  constraintTildeOrEqual,
+		"!=": constraintNotEqual,
+		">":  constraintGreaterThan,
+		"<":  constraintLessThan,
+		">=": constraintGreaterThanEqual,
+		"=>": constraintGreaterThanEqual,
+		"<=": constraintLessThanEqual,
+		"=<": constraintLessThanEqual,
+		"~":  constraintTilde,
+		"~>": constraintTilde,
+		"^":  constraintCaret,
+	}
+
+	ops := `=||!=|>|<|>=|=>|<=|=<|~|~>|\^`
+
+	constraintRegex = regexp.MustCompile(fmt.Sprintf(
+		`^\s*(%s)\s*(%s)\s*$`,
+		ops,
+		cvRegex))
+
+	constraintRangeRegex = regexp.MustCompile(fmt.Sprintf(
+		`\s*(%s)\s+-\s+(%s)\s*`,
+		cvRegex, cvRegex))
+
+	findConstraintRegex = regexp.MustCompile(fmt.Sprintf(
+		`(%s)\s*(%s)`,
+		ops,
+		cvRegex))
+
+	// The first time a constraint shows up will look slightly different from
+	// future times it shows up due to a leading space or comma in a given
+	// string.
+	validConstraintRegex = regexp.MustCompile(fmt.Sprintf(
+		`^(\s*(%s)\s*(%s)\s*)((?:\s+|,\s*)(%s)\s*(%s)\s*)*$`,
+		ops,
+		cvRegex,
+		ops,
+		cvRegex))
+}
+
+// An individual constraint
+type constraint struct {
+	// The version used in the constraint check. For example, if a constraint
+	// is '<= 2.0.0' the con a version instance representing 2.0.0.
+	con *Version
+
+	// The original parsed version (e.g., 4.x from != 4.x)
+	orig string
+
+	// The original operator for the constraint
+	origfunc string
+
+	// When an x is used as part of the version (e.g., 1.x)
+	minorDirty bool
+	dirty      bool
+	patchDirty bool
+}
+
+// Check if a version meets the constraint
+func (c *constraint) check(v *Version) (bool, error) {
+	return constraintOps[c.origfunc](v, c)
+}
+
+// String prints an individual constraint into a string
+func (c *constraint) string() string {
+	return c.origfunc + c.orig
+}
+
+type cfunc func(v *Version, c *constraint) (bool, error)
+
+func parseConstraint(c string) (*constraint, error) {
+	if len(c) > 0 {
+		m := constraintRegex.FindStringSubmatch(c)
+		if m == nil {
+			return nil, fmt.Errorf("improper constraint: %s", c)
+		}
+
+		cs := &constraint{
+			orig:     m[2],
+			origfunc: m[1],
+		}
+
+		ver := m[2]
+		minorDirty := false
+		patchDirty := false
+		dirty := false
+		if isX(m[3]) || m[3] == "" {
+			ver = fmt.Sprintf("0.0.0%s", m[6])
+			dirty = true
+		} else if isX(strings.TrimPrefix(m[4], ".")) || m[4] == "" {
+			minorDirty = true
+			dirty = true
+			ver = fmt.Sprintf("%s.0.0%s", m[3], m[6])
+		} else if isX(strings.TrimPrefix(m[5], ".")) || m[5] == "" {
+			dirty = true
+			patchDirty = true
+			ver = fmt.Sprintf("%s%s.0%s", m[3], m[4], m[6])
+		}
+
+		con, err := NewVersion(ver)
+		if err != nil {
+
+			// The constraintRegex should catch any regex parsing errors. So,
+			// we should never get here.
+			return nil, errors.New("constraint Parser Error")
+		}
+
+		cs.con = con
+		cs.minorDirty = minorDirty
+		cs.patchDirty = patchDirty
+		cs.dirty = dirty
+
+		return cs, nil
+	}
+
+	// The rest is the special case where an empty string was passed in which
+	// is equivalent to * or >=0.0.0
+	con, err := StrictNewVersion("0.0.0")
+	if err != nil {
+
+		// The constraintRegex should catch any regex parsing errors. So,
+		// we should never get here.
+		return nil, errors.New("constraint Parser Error")
+	}
+
+	cs := &constraint{
+		con:        con,
+		orig:       c,
+		origfunc:   "",
+		minorDirty: false,
+		patchDirty: false,
+		dirty:      true,
+	}
+	return cs, nil
+}
+
+// Constraint functions
+func constraintNotEqual(v *Version, c *constraint) (bool, error) {
+	if c.dirty {
+
+		// If there is a pre-release on the version but the constraint isn't looking
+		// for them assume that pre-releases are not compatible. See issue 21 for
+		// more details.
+		if v.Prerelease() != "" && c.con.Prerelease() == "" {
+			return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+		}
+
+		if c.con.Major() != v.Major() {
+			return true, nil
+		}
+		if c.con.Minor() != v.Minor() && !c.minorDirty {
+			return true, nil
+		} else if c.minorDirty {
+			return false, fmt.Errorf("%s is equal to %s", v, c.orig)
+		} else if c.con.Patch() != v.Patch() && !c.patchDirty {
+			return true, nil
+		} else if c.patchDirty {
+			// Need to handle prereleases if present
+			if v.Prerelease() != "" || c.con.Prerelease() != "" {
+				eq := comparePrerelease(v.Prerelease(), c.con.Prerelease()) != 0
+				if eq {
+					return true, nil
+				}
+				return false, fmt.Errorf("%s is equal to %s", v, c.orig)
+			}
+			return false, fmt.Errorf("%s is equal to %s", v, c.orig)
+		}
+	}
+
+	eq := v.Equal(c.con)
+	if eq {
+		return false, fmt.Errorf("%s is equal to %s", v, c.orig)
+	}
+
+	return true, nil
+}
+
+func constraintGreaterThan(v *Version, c *constraint) (bool, error) {
+
+	// If there is a pre-release on the version but the constraint isn't looking
+	// for them assume that pre-releases are not compatible. See issue 21 for
+	// more details.
+	if v.Prerelease() != "" && c.con.Prerelease() == "" {
+		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+	}
+
+	var eq bool
+
+	if !c.dirty {
+		eq = v.Compare(c.con) == 1
+		if eq {
+			return true, nil
+		}
+		return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig)
+	}
+
+	if v.Major() > c.con.Major() {
+		return true, nil
+	} else if v.Major() < c.con.Major() {
+		return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig)
+	} else if c.minorDirty {
+		// This is a range case such as >11. When the version is something like
+		// 11.1.0 is it not > 11. For that we would need 12 or higher
+		return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig)
+	} else if c.patchDirty {
+		// This is for ranges such as >11.1. A version of 11.1.1 is not greater
+		// which one of 11.2.1 is greater
+		eq = v.Minor() > c.con.Minor()
+		if eq {
+			return true, nil
+		}
+		return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig)
+	}
+
+	// If we have gotten here we are not comparing pre-preleases and can use the
+	// Compare function to accomplish that.
+	eq = v.Compare(c.con) == 1
+	if eq {
+		return true, nil
+	}
+	return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig)
+}
+
+func constraintLessThan(v *Version, c *constraint) (bool, error) {
+	// If there is a pre-release on the version but the constraint isn't looking
+	// for them assume that pre-releases are not compatible. See issue 21 for
+	// more details.
+	if v.Prerelease() != "" && c.con.Prerelease() == "" {
+		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+	}
+
+	eq := v.Compare(c.con) < 0
+	if eq {
+		return true, nil
+	}
+	return false, fmt.Errorf("%s is greater than or equal to %s", v, c.orig)
+}
+
+func constraintGreaterThanEqual(v *Version, c *constraint) (bool, error) {
+
+	// If there is a pre-release on the version but the constraint isn't looking
+	// for them assume that pre-releases are not compatible. See issue 21 for
+	// more details.
+	if v.Prerelease() != "" && c.con.Prerelease() == "" {
+		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+	}
+
+	eq := v.Compare(c.con) >= 0
+	if eq {
+		return true, nil
+	}
+	return false, fmt.Errorf("%s is less than %s", v, c.orig)
+}
+
+func constraintLessThanEqual(v *Version, c *constraint) (bool, error) {
+	// If there is a pre-release on the version but the constraint isn't looking
+	// for them assume that pre-releases are not compatible. See issue 21 for
+	// more details.
+	if v.Prerelease() != "" && c.con.Prerelease() == "" {
+		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+	}
+
+	var eq bool
+
+	if !c.dirty {
+		eq = v.Compare(c.con) <= 0
+		if eq {
+			return true, nil
+		}
+		return false, fmt.Errorf("%s is greater than %s", v, c.orig)
+	}
+
+	if v.Major() > c.con.Major() {
+		return false, fmt.Errorf("%s is greater than %s", v, c.orig)
+	} else if v.Major() == c.con.Major() && v.Minor() > c.con.Minor() && !c.minorDirty {
+		return false, fmt.Errorf("%s is greater than %s", v, c.orig)
+	}
+
+	return true, nil
+}
+
+// ~*, ~>* --> >= 0.0.0 (any)
+// ~2, ~2.x, ~2.x.x, ~>2, ~>2.x ~>2.x.x --> >=2.0.0, <3.0.0
+// ~2.0, ~2.0.x, ~>2.0, ~>2.0.x --> >=2.0.0, <2.1.0
+// ~1.2, ~1.2.x, ~>1.2, ~>1.2.x --> >=1.2.0, <1.3.0
+// ~1.2.3, ~>1.2.3 --> >=1.2.3, <1.3.0
+// ~1.2.0, ~>1.2.0 --> >=1.2.0, <1.3.0
+func constraintTilde(v *Version, c *constraint) (bool, error) {
+	// If there is a pre-release on the version but the constraint isn't looking
+	// for them assume that pre-releases are not compatible. See issue 21 for
+	// more details.
+	if v.Prerelease() != "" && c.con.Prerelease() == "" {
+		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+	}
+
+	if v.LessThan(c.con) {
+		return false, fmt.Errorf("%s is less than %s", v, c.orig)
+	}
+
+	// ~0.0.0 is a special case where all constraints are accepted. It's
+	// equivalent to >= 0.0.0.
+	if c.con.Major() == 0 && c.con.Minor() == 0 && c.con.Patch() == 0 &&
+		!c.minorDirty && !c.patchDirty {
+		return true, nil
+	}
+
+	if v.Major() != c.con.Major() {
+		return false, fmt.Errorf("%s does not have same major version as %s", v, c.orig)
+	}
+
+	if v.Minor() != c.con.Minor() && !c.minorDirty {
+		return false, fmt.Errorf("%s does not have same major and minor version as %s", v, c.orig)
+	}
+
+	return true, nil
+}
+
+// When there is a .x (dirty) status it automatically opts in to ~. Otherwise
+// it's a straight =
+func constraintTildeOrEqual(v *Version, c *constraint) (bool, error) {
+	// If there is a pre-release on the version but the constraint isn't looking
+	// for them assume that pre-releases are not compatible. See issue 21 for
+	// more details.
+	if v.Prerelease() != "" && c.con.Prerelease() == "" {
+		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+	}
+
+	if c.dirty {
+		return constraintTilde(v, c)
+	}
+
+	eq := v.Equal(c.con)
+	if eq {
+		return true, nil
+	}
+
+	return false, fmt.Errorf("%s is not equal to %s", v, c.orig)
+}
+
+// ^*      -->  (any)
+// ^1.2.3  -->  >=1.2.3 <2.0.0
+// ^1.2    -->  >=1.2.0 <2.0.0
+// ^1      -->  >=1.0.0 <2.0.0
+// ^0.2.3  -->  >=0.2.3 <0.3.0
+// ^0.2    -->  >=0.2.0 <0.3.0
+// ^0.0.3  -->  >=0.0.3 <0.0.4
+// ^0.0    -->  >=0.0.0 <0.1.0
+// ^0      -->  >=0.0.0 <1.0.0
+func constraintCaret(v *Version, c *constraint) (bool, error) {
+	// If there is a pre-release on the version but the constraint isn't looking
+	// for them assume that pre-releases are not compatible. See issue 21 for
+	// more details.
+	if v.Prerelease() != "" && c.con.Prerelease() == "" {
+		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+	}
+
+	// This less than handles prereleases
+	if v.LessThan(c.con) {
+		return false, fmt.Errorf("%s is less than %s", v, c.orig)
+	}
+
+	var eq bool
+
+	// ^ when the major > 0 is >=x.y.z < x+1
+	if c.con.Major() > 0 || c.minorDirty {
+
+		// ^ has to be within a major range for > 0. Everything less than was
+		// filtered out with the LessThan call above. This filters out those
+		// that greater but not within the same major range.
+		eq = v.Major() == c.con.Major()
+		if eq {
+			return true, nil
+		}
+		return false, fmt.Errorf("%s does not have same major version as %s", v, c.orig)
+	}
+
+	// ^ when the major is 0 and minor > 0 is >=0.y.z < 0.y+1
+	if c.con.Major() == 0 && v.Major() > 0 {
+		return false, fmt.Errorf("%s does not have same major version as %s", v, c.orig)
+	}
+	// If the con Minor is > 0 it is not dirty
+	if c.con.Minor() > 0 || c.patchDirty {
+		eq = v.Minor() == c.con.Minor()
+		if eq {
+			return true, nil
+		}
+		return false, fmt.Errorf("%s does not have same minor version as %s. Expected minor versions to match when constraint major version is 0", v, c.orig)
+	}
+	// ^ when the minor is 0 and minor > 0 is =0.0.z
+	if c.con.Minor() == 0 && v.Minor() > 0 {
+		return false, fmt.Errorf("%s does not have same minor version as %s", v, c.orig)
+	}
+
+	// At this point the major is 0 and the minor is 0 and not dirty. The patch
+	// is not dirty so we need to check if they are equal. If they are not equal
+	eq = c.con.Patch() == v.Patch()
+	if eq {
+		return true, nil
+	}
+	return false, fmt.Errorf("%s does not equal %s. Expect version and constraint to equal when major and minor versions are 0", v, c.orig)
+}
+
+func isX(x string) bool {
+	switch x {
+	case "x", "*", "X":
+		return true
+	default:
+		return false
+	}
+}
+
+func rewriteRange(i string) string {
+	m := constraintRangeRegex.FindAllStringSubmatch(i, -1)
+	if m == nil {
+		return i
+	}
+	o := i
+	for _, v := range m {
+		t := fmt.Sprintf(">= %s, <= %s ", v[1], v[11])
+		o = strings.Replace(o, v[0], t, 1)
+	}
+
+	return o
+}
--- a/Show More
+++ b/Show More