Bump Skopeo to v1.18.0

As the title says, bumping to v1.18.0 to go out with Podman v5.4. Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Merge pull request #2513 from mheon/cncf_code_of_conduct
2026-01-30 13:58:48 +00:00 · 2025-02-12 11:27:38 -05:00 · 2025-02-10 21:41:40 +01:00 · 2025-02-10 14:45:44 -05:00 · 2025-02-05 22:30:13 +01:00 · 2025-02-04 20:51:14 +00:00
3939 changed files with 719825 additions and 198404 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -0,0 +1,259 @@
+---
+
+# Main collection of env. vars to set for all tasks and scripts.
+env:
+    ####
+    #### Global variables used for all tasks
+    ####
+    # Name of the ultimate destination branch for this CI run, PR or post-merge.
+    DEST_BRANCH: "main"
+    # Overrides default location (/tmp/cirrus) for repo clone
+    GOPATH: &gopath "/var/tmp/go"
+    GOBIN: "${GOPATH}/bin"
+    GOCACHE: "${GOPATH}/cache"
+    GOSRC: &gosrc "/var/tmp/go/src/github.com/containers/skopeo"
+    # Required for consistency with containers/image CI
+    SKOPEO_PATH: *gosrc
+    CIRRUS_WORKING_DIR: *gosrc
+    # The default is 'sh' if unspecified
+    CIRRUS_SHELL: "/bin/bash"
+    # Save a little typing (path relative to $CIRRUS_WORKING_DIR)
+    SCRIPT_BASE: "./contrib/cirrus"
+
+    # Google-cloud VM Images
+    IMAGE_SUFFIX: "c20250131t121915z-f41f40d13"
+    FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
+
+    # Container FQIN's
+    FEDORA_CONTAINER_FQIN: "quay.io/libpod/fedora_podman:${IMAGE_SUFFIX}"
+
+    # Built along with the standard PR-based workflow in c/automation_images
+    SKOPEO_CIDEV_CONTAINER_FQIN: "quay.io/libpod/skopeo_cidev:${IMAGE_SUFFIX}"
+
+
+# Default timeout for each task
+timeout_in: 45m
+
+
+gcp_credentials: ENCRYPTED[52d9e807b531b37ab14e958cb5a72499460663f04c8d73e22ad608c027a31118420f1c80f0be0882fbdf96f49d8f9ac0]
+
+
+validate_task:
+    # The git-validation tool doesn't work well on branch or tag push,
+    # under Cirrus-CI, due to challenges obtaining the starting commit ID.
+    # Only do validation for PRs.
+    only_if: &is_pr $CIRRUS_PR != ''
+    container:
+        image: '${SKOPEO_CIDEV_CONTAINER_FQIN}'
+        cpu: 4
+        memory: 8
+    setup_script: |
+        make tools
+    test_script: |
+        make validate-local
+        make vendor && hack/tree_status.sh
+
+doccheck_task:
+    only_if: *is_pr
+    depends_on:
+      - validate
+    container:
+        image: "${FEDORA_CONTAINER_FQIN}"
+        cpu: 4
+        memory: 8
+    env:
+        BUILDTAGS: &withopengpg 'btrfs_noversion libdm_no_deferred_remove containers_image_openpgp'
+    script: |
+      # TODO: Can't use 'runner.sh setup' inside container.  However,
+      # removing the pre-installed package is the only necessary step
+      # at the time of this comment.
+      dnf remove -y skopeo  # Guarantee non-interference
+      "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" build
+      "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" doccheck
+
+osx_task:
+    # Don't run for docs-only builds.
+    # Also don't run on release-branches or their PRs,
+    # since base container-image is not version-constrained.
+    only_if: &not_docs_or_release_branch >-
+        ($CIRRUS_BASE_BRANCH == $CIRRUS_DEFAULT_BRANCH ||
+         $CIRRUS_BRANCH == $CIRRUS_DEFAULT_BRANCH ) &&
+        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
+    depends_on:
+        - validate
+    persistent_worker: &mac_pw
+        labels:
+            os: darwin
+            arch: arm64
+            purpose: prod
+    env:
+        CIRRUS_WORKING_DIR: "$HOME/ci/task-${CIRRUS_TASK_ID}"
+        # Prevent cache-pollution fron one task to the next.
+        GOPATH: "$CIRRUS_WORKING_DIR/.go"
+        GOCACHE: "$CIRRUS_WORKING_DIR/.go/cache"
+        GOENV: "$CIRRUS_WORKING_DIR/.go/support"
+        GOSRC: "$HOME/ci/task-${CIRRUS_TASK_ID}"
+        TMPDIR: "/private/tmp/ci"
+    # This host is/was shared with potentially many other CI tasks.
+    # The previous task may have been canceled or aborted.
+    prep_script: &mac_cleanup "contrib/cirrus/mac_cleanup.sh"
+    test_script:
+        - export PATH=$GOPATH/bin:$PATH
+        - go version
+        - go env
+        - make tools
+        - make validate-local test-unit-local bin/skopeo
+        - bin/skopeo -v
+    # This host is/was shared with potentially many other CI tasks.
+    # Ensure nothing is left running while waiting for the next task.
+    always:
+        task_cleanup_script: *mac_cleanup
+
+
+cross_task:
+    alias: cross
+    only_if: >-
+        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
+    depends_on:
+        - validate
+    gce_instance: &standardvm
+        image_project: libpod-218412
+        zone: "us-central1-f"
+        cpu: 2
+        memory: "4Gb"
+        # Required to be 200gig, do not modify - has i/o performance impact
+        # according to gcloud CLI tool warning messages.
+        disk: 200
+        image_name: ${FEDORA_CACHE_IMAGE_NAME}
+    env:
+        BUILDTAGS: *withopengpg
+    setup_script: >-
+        "${GOSRC}/${SCRIPT_BASE}/runner.sh" setup
+    cross_script: >-
+        "${GOSRC}/${SCRIPT_BASE}/runner.sh" cross
+
+
+ostree-rs-ext_task:
+    alias: proxy_ostree_ext
+    only_if: *not_docs_or_release_branch
+    # WARNING: This task potentially performs a container image
+    # build (on change) with runtime package installs.  Therefore,
+    # its behavior can be unpredictable and potentially flake-prone.
+    # In case of emergency, uncomment the next statement to bypass.
+    #
+    # skip: $CI == "true"
+    #
+    depends_on:
+        - validate
+    # Ref: https://cirrus-ci.org/guide/docker-builder-vm/#dockerfile-as-a-ci-environment
+    container:
+        # The runtime image will be rebuilt on change
+        dockerfile: contrib/cirrus/ostree_ext.dockerfile
+        docker_arguments:  # required build-args
+            BASE_FQIN: quay.io/coreos-assembler/fcos-buildroot:testing-devel
+            CIRRUS_IMAGE_VERSION: 3
+    env:
+        EXT_REPO_NAME: ostree-rs-ext
+        EXT_REPO_HOME: $CIRRUS_WORKING_DIR/../$EXT_REPO_NAME
+        EXT_REPO: https://github.com/ostreedev/${EXT_REPO_NAME}.git
+    skopeo_build_script:
+        - dnf builddep -y skopeo
+        - make
+        - make install
+    proxy_ostree_ext_build_script:
+        - git clone --depth 1 $EXT_REPO $EXT_REPO_HOME
+        - cd $EXT_REPO_HOME
+        - cargo test --no-run
+    proxy_ostree_ext_test_script:
+        - cd $EXT_REPO_HOME
+        - cargo test -- --nocapture --quiet
+
+
+#####
+##### NOTE: This task is subtantially duplicated in the containers/image
+##### repository's `.cirrus.yml`.  Changes made here should be fully merged
+##### prior to being manually duplicated and maintained in containers/image.
+#####
+test_skopeo_task:
+    alias: test_skopeo
+    # Don't test for [CI:DOCS], [CI:BUILD].
+    only_if: >-
+        $CIRRUS_CHANGE_TITLE !=~ '.*CI:BUILD.*' &&
+        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
+    depends_on:
+        - validate
+    gce_instance:
+        image_project: libpod-218412
+        zone: "us-central1-f"
+        cpu: 2
+        memory: "4Gb"
+        # Required to be 200gig, do not modify - has i/o performance impact
+        # according to gcloud CLI tool warning messages.
+        disk: 200
+        image_name: ${FEDORA_CACHE_IMAGE_NAME}
+    matrix:
+        - name: "Skopeo Test"  # N/B: Name ref. by hack/get_fqin.sh
+          env:
+              BUILDTAGS: 'btrfs_noversion libdm_no_deferred_remove'
+        - name: "Skopeo Test w/ opengpg"
+          env:
+              BUILDTAGS: *withopengpg
+    setup_script: >-
+        "${GOSRC}/${SCRIPT_BASE}/runner.sh" setup
+    vendor_script: >-
+        "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" vendor
+    build_script: >-
+        "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" build
+    unit_script: >-
+        "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" unit
+    integration_script: >-
+        "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" integration
+    system_script: >
+        "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" system
+
+
+# This task is critical.  It updates the "last-used by" timestamp stored
+# in metadata for all VM images.  This mechanism functions in tandem with
+# an out-of-band pruning operation to remove disused VM images.
+meta_task:
+    name: "VM img. keepalive"
+    alias: meta
+    container: &smallcontainer
+        cpu: 2
+        memory: 2
+        image: quay.io/libpod/imgts:latest
+    env:
+        # Space-separated list of images used by this repository state
+        IMGNAMES: |
+            ${FEDORA_CACHE_IMAGE_NAME}
+            build-push-${IMAGE_SUFFIX}
+        BUILDID: "${CIRRUS_BUILD_ID}"
+        REPOREF: "${CIRRUS_REPO_NAME}"
+        GCPJSON: ENCRYPTED[6867b5a83e960e7c159a98fe6c8360064567a071c6f4b5e7d532283ecd870aa65c94ccd74bdaa9bf7aadac9d42e20a67]
+        GCPNAME: ENCRYPTED[1cf558ae125e3c39ec401e443ad76452b25d790c45eb73d77c83eb059a0f7fd5085ef7e2f7e410b04ea6e83b0aab2eb1]
+        GCPPROJECT: libpod-218412
+    clone_script: &noop mkdir -p "$CIRRUS_WORKING_DIR"
+    script: /usr/local/bin/entrypoint.sh
+
+
+# Status aggregator for all tests.  This task simply ensures a defined
+# set of tasks all passed, and allows confirming that based on the status
+# of this task.
+success_task:
+    name: "Total Success"
+    alias: success
+    # N/B: ALL tasks must be listed here, minus their '_task' suffix.
+    depends_on:
+        - validate
+        - doccheck
+        - osx
+        - cross
+        - proxy_ostree_ext
+        - test_skopeo
+        - meta
+    container: *smallcontainer
+    env:
+        CTR_FQIN: ${FEDORA_CONTAINER_FQIN}
+        TEST_ENVIRON: container
+    clone_script: *noop
+    script: /bin/true
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -0,0 +1,52 @@
+/*
+   Renovate is a service similar to GitHub Dependabot, but with
+   (fantastically) more configuration options.  So many options
+   in fact, if you're new I recommend glossing over this cheat-sheet
+   prior to the official documentation:
+
+   https://www.augmentedmind.de/2021/07/25/renovate-bot-cheat-sheet
+
+   Configuration Update/Change Procedure:
+     1. Make changes
+     2. Manually validate changes (from repo-root):
+
+        podman run -it \
+            -v ./.github/renovate.json5:/usr/src/app/renovate.json5:z \
+            docker.io/renovate/renovate:latest \
+            renovate-config-validator
+     3. Commit.
+
+   Configuration Reference:
+   https://docs.renovatebot.com/configuration-options/
+
+   Monitoring Dashboard:
+   https://app.renovatebot.com/dashboard#github/containers
+
+   Note: The Renovate bot will create/manage it's business on
+         branches named 'renovate/*'.  Otherwise, and by
+         default, the only the copy of this file that matters
+         is the one on the `main` branch.  No other branches
+         will be monitored or touched in any way.
+*/
+
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+
+  /*************************************************
+   ****** Global/general configuration options *****
+   *************************************************/
+
+  // Re-use predefined sets of configuration options to DRY
+  "extends": [
+    // https://github.com/containers/automation/blob/main/renovate/defaults.json5
+    "github>containers/automation//renovate/defaults.json5"
+  ],
+
+  // Permit automatic rebasing when base-branch changes by more than
+  // one commit.
+  "rebaseWhen": "behind-base-branch",
+
+  /*************************************************
+   *** Repository-specific configuration options ***
+   *************************************************/
+}
--- a/.github/workflows/check_cirrus_cron.yml
+++ b/.github/workflows/check_cirrus_cron.yml
@@ -0,0 +1,20 @@
+---
+
+# See also:
+# https://github.com/containers/podman/blob/main/.github/workflows/check_cirrus_cron.yml
+
+on:
+  # Note: This only applies to the default branch.
+  schedule:
+    # N/B: This should correspond to a period slightly after
+    # the last job finishes running.  See job defs. at:
+    # https://cirrus-ci.com/settings/repository/6706677464432640
+    - cron:  '03 03 * * 1-5'
+  # Debug: Allow triggering job manually in github-actions WebUI
+  workflow_dispatch: {}
+
+jobs:
+  # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows
+  call_cron_failures:
+    uses: containers/podman/.github/workflows/check_cirrus_cron.yml@main
+    secrets: inherit
--- a/.github/workflows/issue_pr_lock.yml
+++ b/.github/workflows/issue_pr_lock.yml
@@ -0,0 +1,20 @@
+---
+
+# See also:
+# https://github.com/containers/podman/blob/main/.github/workflows/issue_pr_lock.yml
+
+on:
+  schedule:
+    - cron:  '0 0 * * *'
+  # Debug: Allow triggering job manually in github-actions WebUI
+  workflow_dispatch: {}
+
+jobs:
+  # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows
+  closed_issue_discussion_lock:
+    uses: containers/podman/.github/workflows/issue_pr_lock.yml@main
+    secrets: inherit
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
--- a/.github/workflows/rerun_cirrus_cron.yml
+++ b/.github/workflows/rerun_cirrus_cron.yml
@@ -0,0 +1,19 @@
+---
+
+# See also: https://github.com/containers/podman/blob/main/.github/workflows/rerun_cirrus_cron.yml
+
+on:
+  # Note: This only applies to the default branch.
+  schedule:
+    # N/B: This should correspond to a period slightly after
+    # the last job finishes running.  See job defs. at:
+    # https://cirrus-ci.com/settings/repository/6706677464432640
+    - cron:  '01 01 * * 1-5'
+  # Debug: Allow triggering job manually in github-actions WebUI
+  workflow_dispatch: {}
+
+jobs:
+  # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows
+  call_cron_rerun:
+    uses: containers/podman/.github/workflows/rerun_cirrus_cron.yml@main
+    secrets: inherit
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -0,0 +1,29 @@
+name: Mark stale issues and pull requests
+
+# Please refer to https://github.com/actions/stale/blob/master/action.yml
+# to see all config knobs of the stale action.
+
+on:
+  schedule:
+  - cron: "0 0 * * *"
+
+permissions:
+  contents: read
+
+jobs:
+  stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/stale@v9
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        stale-issue-message: 'A friendly reminder that this issue had no activity for 30 days.'
+        stale-pr-message: 'A friendly reminder that this PR had no activity for 30 days.'
+        stale-issue-label: 'stale-issue'
+        stale-pr-label: 'stale-pr'
+        days-before-stale: 30
+        days-before-close: 365
+        remove-stale-when-updated: true
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,9 @@
 /layers-*
 /skopeo
 result
-
+/completions/
 # ignore JetBrains IDEs (GoLand) config folder
 .idea
+
+# Ignore the bin directory
+bin
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -0,0 +1,3 @@
+---
+run:
+  timeout: 5m
--- a/.packit.yaml
+++ b/.packit.yaml
@@ -0,0 +1,99 @@
+---
+# See the documentation for more information:
+# https://packit.dev/docs/configuration/
+
+# NOTE: The Packit copr_build tasks help to check if every commit builds on
+# supported Fedora and CentOS Stream arches.
+# They do not block the current Cirrus-based workflow.
+
+downstream_package_name: skopeo
+upstream_tag_template: v{version}
+
+packages:
+  skopeo-fedora:
+    pkg_tool: fedpkg
+    specfile_path: rpm/skopeo.spec
+  skopeo-centos:
+    pkg_tool: centpkg
+    specfile_path: rpm/skopeo.spec
+  skopeo-eln:
+    specfile_path: rpm/skopeo.spec
+
+srpm_build_deps:
+  - make
+
+jobs:
+  - job: copr_build
+    trigger: pull_request
+    packages: [skopeo-fedora]
+    notifications: &copr_build_failure_notification
+      failure_comment:
+        message: "Ephemeral COPR build failed. @containers/packit-build please check."
+    targets:
+      - fedora-all-x86_64
+      - fedora-all-aarch64
+    enable_net: true
+
+  - job: copr_build
+    trigger: pull_request
+    packages: [skopeo-eln]
+    notifications: *copr_build_failure_notification
+    targets:
+      fedora-eln-x86_64:
+        additional_repos:
+          - "https://kojipkgs.fedoraproject.org/repos/eln-build/latest/x86_64/"
+      fedora-eln-aarch64:
+        additional_repos:
+          - "https://kojipkgs.fedoraproject.org/repos/eln-build/latest/aarch64/"
+    enable_net: true
+
+  - job: copr_build
+    trigger: pull_request
+    packages: [skopeo-centos]
+    notifications: *copr_build_failure_notification
+    targets:
+      - centos-stream-9-x86_64
+      - centos-stream-9-aarch64
+      - centos-stream-10-x86_64
+      - centos-stream-10-aarch64
+    enable_net: true
+
+  # Run on commit to main branch
+  - job: copr_build
+    trigger: commit
+    packages: [skopeo-fedora]
+    notifications:
+      failure_comment:
+        message: "podman-next COPR build failed. @containers/packit-build please check."
+    branch: main
+    owner: rhcontainerbot
+    project: podman-next
+    enable_net: true
+
+  # Sync to Fedora
+  - job: propose_downstream
+    trigger: release
+    packages: [skopeo-fedora]
+    update_release: false
+    dist_git_branches: &fedora_targets
+      - fedora-all
+
+  # Sync to CentOS Stream
+  - job: propose_downstream
+    trigger: release
+    packages: [skopeo-centos]
+    update_release: false
+    dist_git_branches:
+      - c10s
+
+  # Fedora Koji build
+  - job: koji_build
+    trigger: commit
+    packages: [skopeo-fedora]
+    sidetag_group: podman-releases
+    # Dependents are not rpm dependencies, but the package whose bodhi update
+    # should include this package.
+    # Ref: https://packit.dev/docs/fedora-releases-guide/releasing-multiple-packages
+    dependents:
+      - podman
+    dist_git_branches: *fedora_targets
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,101 +0,0 @@
-language: go
-
-go:
-  - 1.15.x
-
-notifications:
-  email: false
-
-env:
-  global:
-    # Multiarch manifest will support architectures from this list. It should be the same architectures, as ones in image-build-push step in this Travis config
-    - MULTIARCH_MANIFEST_ARCHITECTURES="amd64 s390x ppc64le"
-    # env variables for stable image build
-    - STABLE_IMAGE=quay.io/skopeo/stable:v1.2.0
-    - EXTRA_STABLE_IMAGE=quay.io/containers/skopeo:v1.2.0
-    # env variable for upstream image build
-    - UPSTREAM_IMAGE=quay.io/skopeo/upstream:master
-
-# Just declaration of the image-build-push step with script actions to execute
-x_base_steps:
-  - &image-build-push
-    services:
-      - docker
-    os: linux
-    dist: focal
-    script:
-      # skopeo upstream image build
-      - make -f release/Makefile build-image/upstream
-      # Push image in case if build is started via cron job or code is pushed to master
-      - if [ "$TRAVIS_EVENT_TYPE" == "push" ] || [ "$TRAVIS_EVENT_TYPE" == "cron" ]; then
-           make -f release/Makefile push-image/upstream ;
-        fi
-
-      # skopeo stable image build
-      - make -f release/Makefile build-image/stable
-      # Push image in case if build is started via cron job or code is pushed to master
-      - if [ "$TRAVIS_EVENT_TYPE" == "push" ] || [ "$TRAVIS_EVENT_TYPE" == "cron" ]; then
-           make -f release/Makefile push-image/stable ;
-        fi
-
-# Just declaration of stage order to run
-stages:
-  # Test for local build
-  - local-build
-  # Build and push image for 1 architecture
-  - name: image-build-push
-    if: branch = master
-  # Create and push image manifest to have multiarch image on top of architecture specific images
-  - name: manifest-multiarch-push
-    if: (type IN (push, cron)) AND branch = master
-
-# Actual execution of steps
-jobs:
-  include:
-    # Run 2 local-build steps in parallel for osx and linux/amd64 platforms
-    - stage: local-build
-      <<: *local-build
-      name: local build for osx
-      os: osx
-      osx_image: xcode11.3
-      install:
-        # Ideally, the (brew update) should not be necessary and Travis would have fairly
-        # frequently updated OS images; that's not been the case historically.
-        # In particular, explicitly unlink python@2, which has been removed from Homebrew
-        # since the last OS image build (as of July 2020), but the Travis OS still
-        # contains it, and it prevents updating of Python 3.
-      - brew update && brew unlink python@2 && brew install gpgme
-      script:
-      - hack/travis_osx.sh
-    - stage: local-build
-      <<: *local-build
-      name: local build for linux
-      os: linux
-      services:
-      - docker
-      script: 
-      - make vendor && ./hack/tree_status.sh && make local-cross && make check
-
-    # Run 3 image-build-push tasks in parallel for linux/amd64, linux/s390x and linux/ppc64le platforms (for upstream and stable)
-    - stage: image-build-push
-      <<: *image-build-push
-      name: images for amd64
-      arch: amd64
-
-    - stage: image-build-push
-      <<: *image-build-push
-      name: images for s390x
-      arch: s390x
-
-    - stage: image-build-push
-      <<: *image-build-push
-      name: images for ppc64le
-      arch: ppc64le
-
-    # Run final task to generate multi-arch image manifests (for upstream and stable)
-    - stage: manifest-multiarch-push
-      os: linux
-      dist: focal
-      script:
-      - make -f release/Makefile push-manifest-multiarch/upstream
-      - make -f release/Makefile push-manifest-multiarch/stable
--- a/CODE-OF-CONDUCT.md
+++ b/CODE-OF-CONDUCT.md
@@ -1,3 +1,3 @@
 ## The skopeo Project Community Code of Conduct

-The skopeo project follows the [Containers Community Code of Conduct](https://github.com/containers/common/blob/master/CODE-OF-CONDUCT.md).
+The skopeo project, as part of Podman Container Tools, follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -117,29 +117,31 @@ commit automatically with `git commit -s`.

 ### Dependencies management

-Make sure [`vndr`](https://github.com/LK4D4/vndr) is installed.
+Dependencies are managed via [standard go modules](https://golang.org/ref/mod).

 In order to add a new dependency to this project:

- add a new line to `vendor.conf` according to `vndr` rules (e.g. `github.com/pkg/errors master`)
+- use `go get -d path/to/dep@version` to add a new line to `go.mod`
 - run `make vendor`

 In order to update an existing dependency:

- update the relevant dependency line in `vendor.conf`
+- use `go get -d -u path/to/dep@version` to update the relevant dependency line in `go.mod`
 - run `make vendor`

 When new PRs for [containers/image](https://github.com/containers/image) break `skopeo` (i.e. `containers/image` tests fail in `make test-skopeo`):

 - create out a new branch in your `skopeo` checkout and switch to it
- update `vendor.conf`. Find out the `containers/image` dependency; update it to vendor from your own branch and your own repository fork (e.g. `github.com/containers/image my-branch https://github.com/runcom/image`)
+- find out the version of `containers/image` you want to use and note its commit ID. You might also want to use a fork of `containers/image`, in that case note its repo
+- use `go get -d github.com/$REPO/image/v5@$COMMIT_ID` to download the right version. The command will fetch the dependency and then fail because of a conflict in `go.mod`, this is expected. Note the pseudo-version (eg. `v5.13.1-0.20210707123201-50afbf0a326`)
+- use `go mod edit -replace=github.com/containers/image/v5=github.com/$REPO/image/v5@$PSEUDO_VERSION` to add a replacement line to `go.mod` (e.g. `replace github.com/containers/image/v5 => github.com/moio/image/v5 v5.13.1-0.20210707123201-50afbf0a3262`)
 - run `make vendor`
 - make any other necessary changes in the skopeo repo (e.g. add other dependencies now required by `containers/image`, or update skopeo for changed `containers/image` API)
 - optionally add new integration tests to the skopeo repo
 - submit the resulting branch as a skopeo PR, marked “DO NOT MERGE”
 - iterate until tests pass and the PR is reviewed
 - then the original `containers/image` PR can be merged, disregarding its `make test-skopeo` failure
- as soon as possible after that, in the skopeo PR, restore the `containers/image` line in `vendor.conf` to use `containers/image:master`
+- as soon as possible after that, in the skopeo PR, use `go mod edit -dropreplace=github.com/containers/image` to remove the `replace` line in `go.mod`
 - run `make vendor`
 - update the skopeo PR with the result, drop the “DO NOT MERGE” marking
 - after tests complete successfully again, merge the skopeo PR
@@ -147,7 +149,7 @@ When new PRs for [containers/image](https://github.com/containers/image) break `
 ## Communications

 For general questions, or discussions, please use the 
-IRC group on `irc.freenode.net` called `container-projects`
+IRC channel on `irc.libera.chat` called `#container-projects`
 that has been setup.

 For discussions around issues/bugs and features, you can use the github
--- a/53
+++ b/53
@@ -1,53 +0,0 @@
-FROM fedora
-
-RUN dnf -y update && dnf install -y make git golang golang-github-cpuguy83-md2man \
-	# storage deps
-	btrfs-progs-devel \
-	device-mapper-devel \
-	# gpgme bindings deps
-	libassuan-devel gpgme-devel \
-	gnupg \
-	# htpasswd for system tests
-	httpd-tools \
-	# OpenShift deps
-	which tar wget hostname util-linux bsdtar socat ethtool device-mapper iptables tree findutils nmap-ncat e2fsprogs xfsprogs lsof docker iproute \
-        bats jq podman runc \
-	golint \
-	openssl \
-	&& dnf clean all
-
-# Install two versions of the registry. The first is an older version that
-# only supports schema1 manifests. The second is a newer version that supports
-# both. This allows integration-cli tests to cover push/pull with both schema1
-# and schema2 manifests.
-RUN set -x \
-	&& REGISTRY_COMMIT_SCHEMA1=ec87e9b6971d831f0eff752ddb54fb64693e51cd \
-	&& REGISTRY_COMMIT=47a064d4195a9b56133891bbb13620c3ac83a827 \
-	&& export GOPATH="$(mktemp -d)" \
-	&& git clone https://github.com/docker/distribution.git "$GOPATH/src/github.com/docker/distribution" \
-	&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT") \
-	&& GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \
-		go build -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \
-	&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT_SCHEMA1") \
-	&& GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \
-		go build -o /usr/local/bin/registry-v2-schema1 github.com/docker/distribution/cmd/registry \
-	&& rm -rf "$GOPATH"
-
-RUN set -x \
-	&& export GOPATH=$(mktemp -d) \
-	&& git clone --depth 1 -b v1.5.0-alpha.3 git://github.com/openshift/origin "$GOPATH/src/github.com/openshift/origin" \
-	# The sed edits out a "go < 1.5" check which works incorrectly with go ≥ 1.10. \
-	&& sed -i -e 's/\[\[ "\${go_version\[2]}" < "go1.5" ]]/false/' "$GOPATH/src/github.com/openshift/origin/hack/common.sh" \
-	&& (cd "$GOPATH/src/github.com/openshift/origin" && make clean build && make all WHAT=cmd/dockerregistry) \
-	&& cp -a "$GOPATH/src/github.com/openshift/origin/_output/local/bin/linux"/*/* /usr/local/bin \
-	&& cp "$GOPATH/src/github.com/openshift/origin/images/dockerregistry/config.yml" /atomic-registry-config.yml \
-	&& rm -rf "$GOPATH" \
-	&& mkdir /registry
-
-ENV GOPATH /usr/share/gocode:/go
-ENV PATH $GOPATH/bin:/usr/share/gocode/bin:$PATH
-RUN go version
-WORKDIR /go/src/github.com/containers/skopeo
-COPY . /go/src/github.com/containers/skopeo
-
-#ENTRYPOINT ["hack/dind"]
--- a/Dockerfile.build
+++ b/Dockerfile.build
@@ -1,9 +0,0 @@
-FROM golang:1.14-buster
-
-RUN apt-get update && \
-    apt-get install -y \
-        libdevmapper-dev \
-        libgpgme11-dev
-
-ENV GOPATH=/
-WORKDIR /src/github.com/containers/skopeo
--- a/237
+++ b/237
@@ -1,46 +1,47 @@
-.PHONY: all binary build-container docs docs-in-container build-local clean install install-binary install-completions shell test-integration .install.vndr vendor vendor-in-container
+.PHONY: all binary docs docs-in-container build-local clean install install-binary install-completions shell test-integration .install.vndr vendor vendor-in-container

 export GOPROXY=https://proxy.golang.org

-ifeq ($(shell uname),Darwin)
-PREFIX ?= ${DESTDIR}/usr/local
-DARWIN_BUILD_TAG=
-# On macOS, (brew install gpgme) installs it within /usr/local, but /usr/local/include is not in the default search path.
-# Rather than hard-code this directory, use gpgme-config. Sadly that must be done at the top-level user
-# instead of locally in the gpgme subpackage, because cgo supports only pkg-config, not general shell scripts,
-# and gpgme does not install a pkg-config file.
-# If gpgme is not installed or gpgme-config can’t be found for other reasons, the error is silently ignored
-# (and the user will probably find out because the cgo compilation will fail).
-GPGME_ENV := CGO_CFLAGS="$(shell gpgme-config --cflags 2>/dev/null)" CGO_LDFLAGS="$(shell gpgme-config --libs 2>/dev/null)"
+# The following variables very roughly follow https://www.gnu.org/prep/standards/standards.html#Makefile-Conventions .
+DESTDIR ?=
+PREFIX ?= /usr/local
+ifeq ($(shell uname -s),FreeBSD)
+CONTAINERSCONFDIR ?= /usr/local/etc/containers
 else
-PREFIX ?= ${DESTDIR}/usr
+CONTAINERSCONFDIR ?= /etc/containers
 endif
+REGISTRIESDDIR ?= ${CONTAINERSCONFDIR}/registries.d
+LOOKASIDEDIR ?= /var/lib/containers/sigstore
+BINDIR ?= ${PREFIX}/bin
+MANDIR ?= ${PREFIX}/share/man

-INSTALLDIR=${PREFIX}/bin
-MANINSTALLDIR=${PREFIX}/share/man
-CONTAINERSSYSCONFIGDIR=${DESTDIR}/etc/containers
-REGISTRIESDDIR=${CONTAINERSSYSCONFIGDIR}/registries.d
-SIGSTOREDIR=${DESTDIR}/var/lib/containers/sigstore
 BASHINSTALLDIR=${PREFIX}/share/bash-completion/completions
+ZSHINSTALLDIR=${PREFIX}/share/zsh/site-functions
+FISHINSTALLDIR=${PREFIX}/share/fish/vendor_completions.d

 GO ?= go
 GOBIN := $(shell $(GO) env GOBIN)
 GOOS ?= $(shell go env GOOS)
 GOARCH ?= $(shell go env GOARCH)

+# N/B: This value is managed by Renovate, manual changes are
+# possible, as long as they don't disturb the formatting
+# (i.e. DO NOT ADD A 'v' prefix!)
+GOLANGCI_LINT_VERSION := 1.63.4
+
 ifeq ($(GOBIN),)
 GOBIN := $(GOPATH)/bin
 endif

-CONTAINER_RUNTIME := $(shell command -v podman 2> /dev/null || echo docker)
-GOMD2MAN ?= $(shell command -v go-md2man || echo '$(GOBIN)/go-md2man')
-
-# Go module support: set `-mod=vendor` to use the vendored sources.
-# See also hack/make.sh.
-ifeq ($(shell go help mod >/dev/null 2>&1 && echo true), true)
-  GO:=GO111MODULE=on $(GO)
-  MOD_VENDOR=-mod=vendor
-endif
+# Scripts may also use CONTAINER_RUNTIME, so we need to export it.
+# Note possibly non-obvious aspects of this:
+# - We need to use 'command -v' here, not 'which', for compatibility with MacOS.
+# - GNU Make 4.2.1 (included in Ubuntu 20.04) incorrectly tries to avoid invoking
+#   a shell, and fails because there is no /usr/bin/command. The trailing ';' in
+#   $(shell … ;) defeats that heuristic (recommended in
+#   https://savannah.gnu.org/bugs/index.php?57625 ).
+export CONTAINER_RUNTIME ?= $(if $(shell command -v podman ;),podman,docker)
+GOMD2MAN ?= $(if $(shell command -v go-md2man ;),go-md2man,$(GOBIN)/go-md2man)

 ifeq ($(DEBUG), 1)
  override GOGCFLAGS += -N -l
@@ -52,10 +53,25 @@ ifeq ($(GOOS), linux)
  endif
 endif

-GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
-IMAGE := skopeo-dev$(if $(GIT_BRANCH),:$(GIT_BRANCH))
-# set env like gobuildtag?
-CONTAINER_CMD := ${CONTAINER_RUNTIME} run --rm -i -e TESTFLAGS="$(TESTFLAGS)" #$(CONTAINER_ENVS)
+# If $TESTFLAGS is set, it is passed as extra arguments to 'go test'.
+# You can select certain tests to run, with `-run <regex>` for example:
+#
+#     make test-unit TESTFLAGS='-run ^TestManifestDigest$'
+#     make test-integration TESTFLAGS='-run copySuite.TestCopy.*'
+export TESTFLAGS ?= -timeout=15m
+
+# This is assumed to be set non-empty when operating inside a CI/automation environment
+CI ?=
+
+# This env. var. is interpreted by some tests as a permission to
+# modify local configuration files and services.
+export SKOPEO_CONTAINER_TESTS ?= $(if $(CI),1,0)
+
+# This is a compromise, we either use a container for this or require
+# the local user to have a compatible python3 development environment.
+# Define it as a "resolve on use" variable to avoid calling out when possible
+SKOPEO_CIDEV_CONTAINER_FQIN ?= $(shell hack/get_fqin.sh)
+CONTAINER_CMD ?= ${CONTAINER_RUNTIME} run --rm -i -e TESTFLAGS="$(TESTFLAGS)" -e CI=$(CI) -e SKOPEO_CONTAINER_TESTS=1
 # if this session isn't interactive, then we don't want to allocate a
 # TTY, which would fail, but if it is interactive, we do want to attach
 # so that the user can send e.g. ^C through.
@@ -63,9 +79,10 @@ INTERACTIVE := $(shell [ -t 0 ] && echo 1 || echo 0)
 ifeq ($(INTERACTIVE), 1)
 	CONTAINER_CMD += -t
 endif
-CONTAINER_RUN := $(CONTAINER_CMD) "$(IMAGE)"
+CONTAINER_GOSRC = /src/github.com/containers/skopeo
+CONTAINER_RUN ?= $(CONTAINER_CMD) --security-opt label=disable -v $(CURDIR):$(CONTAINER_GOSRC) -w $(CONTAINER_GOSRC) $(SKOPEO_CIDEV_CONTAINER_FQIN)

-GIT_COMMIT := $(shell git rev-parse HEAD 2> /dev/null || true)
+GIT_COMMIT := $(shell GIT_CEILING_DIRECTORIES=$$(cd ..; pwd) git rev-parse HEAD 2> /dev/null || true)

 EXTRA_LDFLAGS ?=
 SKOPEO_LDFLAGS := -ldflags '-X main.gitCommit=${GIT_COMMIT} $(EXTRA_LDFLAGS)'
@@ -74,12 +91,12 @@ MANPAGES_MD = $(wildcard docs/*.md)
 MANPAGES ?= $(MANPAGES_MD:%.md=%)

 BTRFS_BUILD_TAG = $(shell hack/btrfs_tag.sh) $(shell hack/btrfs_installed_tag.sh)
-LIBDM_BUILD_TAG = $(shell hack/libdm_tag.sh)
-LOCAL_BUILD_TAGS = $(BTRFS_BUILD_TAG) $(LIBDM_BUILD_TAG) $(DARWIN_BUILD_TAG)
+LIBSUBID_BUILD_TAG = $(shell hack/libsubid_tag.sh)
+LOCAL_BUILD_TAGS = $(BTRFS_BUILD_TAG) $(LIBSUBID_BUILD_TAG)
 BUILDTAGS += $(LOCAL_BUILD_TAGS)

 ifeq ($(DISABLE_CGO), 1)
-	override BUILDTAGS = exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp
+	override BUILDTAGS = exclude_graphdriver_btrfs containers_image_openpgp
 endif

 #   make all DEBUG=1
@@ -88,6 +105,9 @@ endif
 #           use source debugging tools like delve.
 all: bin/skopeo docs

+codespell:
+	codespell -S Makefile,build,buildah,buildah.spec,imgtype,copy,AUTHORS,bin,vendor,.git,go.sum,CHANGELOG.md,changelog.txt,seccomp.json,.cirrus.yml,"*.xz,*.gz,*.tar,*.tgz,*ico,*.png,*.1,*.5,*.orig,*.rej" -L fpr,uint,iff,od,ERRO -w
+
 help:
 	@echo "Usage: make <target>"
 	@echo
@@ -95,8 +115,8 @@ help:
 	@echo
 	@echo " * 'install' - Install binaries and documents to system locations"
 	@echo " * 'binary' - Build skopeo with a container"
-	@echo " * 'static' - Build statically linked binary"
 	@echo " * 'bin/skopeo' - Build skopeo locally"
+	@echo " * 'bin/skopeo.OS.ARCH' - Build skopeo for specific OS and ARCH"
 	@echo " * 'test-unit' - Execute unit tests"
 	@echo " * 'test-integration' - Execute integration tests"
 	@echo " * 'validate' - Verify whether there is no conflict and all Go source files have been formatted, linted and vetted"
@@ -104,104 +124,130 @@ help:
 	@echo " * 'shell' - Run the built image and attach to a shell"
 	@echo " * 'clean' - Clean artifacts"

-# Build a container image (skopeobuild) that has everything we need to build.
-# Then do the build and the output (skopeo) should appear in current dir
+# Do the build and the output (skopeo) should appear in current dir
 binary: cmd/skopeo
-	${CONTAINER_RUNTIME} build ${BUILD_ARGS} -f Dockerfile.build -t skopeobuildimage .
-	${CONTAINER_RUNTIME} run --rm --security-opt label=disable -v $$(pwd):/src/github.com/containers/skopeo \
-		skopeobuildimage make bin/skopeo $(if $(DEBUG),DEBUG=$(DEBUG)) BUILDTAGS='$(BUILDTAGS)'
-
-# Update nix/nixpkgs.json its latest stable commit
-.PHONY: nixpkgs
-nixpkgs:
-	@nix run -f channel:nixos-20.09 nix-prefetch-git -c nix-prefetch-git \
-		--no-deepClone https://github.com/nixos/nixpkgs > nix/nixpkgs.json
-
-# Build statically linked binary
-.PHONY: static
-static:
-	@nix build -f nix/
-	mkdir -p ./bin
-	cp -rfp ./result/bin/* ./bin/
+	$(CONTAINER_RUN) make bin/skopeo $(if $(DEBUG),DEBUG=$(DEBUG)) BUILDTAGS='$(BUILDTAGS)'

 # Build w/o using containers
 .PHONY: bin/skopeo
 bin/skopeo:
-	$(GPGME_ENV) $(GO) build $(MOD_VENDOR) ${GO_DYN_FLAGS} ${SKOPEO_LDFLAGS} -gcflags "$(GOGCFLAGS)" -tags "$(BUILDTAGS)" -o $@ ./cmd/skopeo
+	$(GO) build ${GO_DYN_FLAGS} ${SKOPEO_LDFLAGS} -gcflags "$(GOGCFLAGS)" -tags "$(BUILDTAGS)" -o $@ ./cmd/skopeo
 bin/skopeo.%:
-	GOOS=$(word 2,$(subst ., ,$@)) GOARCH=$(word 3,$(subst ., ,$@)) $(GO) build $(MOD_VENDOR) ${SKOPEO_LDFLAGS} -tags "containers_image_openpgp $(BUILDTAGS)" -o $@ ./cmd/skopeo
+	GOOS=$(word 2,$(subst ., ,$@)) GOARCH=$(word 3,$(subst ., ,$@)) $(GO) build ${SKOPEO_LDFLAGS} -tags "containers_image_openpgp $(BUILDTAGS)" -o $@ ./cmd/skopeo
 local-cross: bin/skopeo.darwin.amd64 bin/skopeo.linux.arm bin/skopeo.linux.arm64 bin/skopeo.windows.386.exe bin/skopeo.windows.amd64.exe

-build-container:
-	${CONTAINER_RUNTIME} build ${BUILD_ARGS} -t "$(IMAGE)" .
-
 $(MANPAGES): %: %.md
+ifneq ($(DISABLE_DOCS), 1)
 	sed -e 's/\((skopeo.*\.md)\)//' -e 's/\[\(skopeo.*\)\]/\1/' $<  | $(GOMD2MAN) -in /dev/stdin -out $@
+endif

 docs: $(MANPAGES)

 docs-in-container:
-	${CONTAINER_RUNTIME} build ${BUILD_ARGS} -f Dockerfile.build -t skopeobuildimage .
-	${CONTAINER_RUNTIME} run --rm --security-opt label=disable -v $$(pwd):/src/github.com/containers/skopeo \
-		skopeobuildimage make docs $(if $(DEBUG),DEBUG=$(DEBUG)) BUILDTAGS='$(BUILDTAGS)'
+	${CONTAINER_RUN} $(MAKE) docs $(if $(DEBUG),DEBUG=$(DEBUG))
+
+.PHONY: completions
+completions: bin/skopeo
+	install -d -m 755 completions/bash completions/zsh completions/fish completions/powershell
+	./bin/skopeo completion bash >| completions/bash/skopeo
+	./bin/skopeo completion zsh >| completions/zsh/_skopeo
+	./bin/skopeo completion fish >| completions/fish/skopeo.fish
+	./bin/skopeo completion powershell >| completions/powershell/skopeo.ps1

 clean:
-	rm -rf bin docs/*.1
+	rm -rf bin docs/*.1 completions/

 install: install-binary install-docs install-completions
-	install -d -m 755 ${SIGSTOREDIR}
-	install -d -m 755 ${CONTAINERSSYSCONFIGDIR}
-	install -m 644 default-policy.json ${CONTAINERSSYSCONFIGDIR}/policy.json
-	install -d -m 755 ${REGISTRIESDDIR}
-	install -m 644 default.yaml ${REGISTRIESDDIR}/default.yaml
+	install -d -m 755 ${DESTDIR}${LOOKASIDEDIR}
+	install -d -m 755 ${DESTDIR}${CONTAINERSCONFDIR}
+	install -m 644 default-policy.json ${DESTDIR}${CONTAINERSCONFDIR}/policy.json
+	install -d -m 755 ${DESTDIR}${REGISTRIESDDIR}
+	install -m 644 default.yaml ${DESTDIR}${REGISTRIESDDIR}/default.yaml

 install-binary: bin/skopeo
-	install -d -m 755 ${INSTALLDIR}
-	install -m 755 bin/skopeo ${INSTALLDIR}/skopeo
+	install -d -m 755 ${DESTDIR}${BINDIR}
+	install -m 755 bin/skopeo ${DESTDIR}${BINDIR}/skopeo

 install-docs: docs
-	install -d -m 755 ${MANINSTALLDIR}/man1
-	install -m 644 docs/*.1 ${MANINSTALLDIR}/man1/
+ifneq ($(DISABLE_DOCS), 1)
+	install -d -m 755 ${DESTDIR}${MANDIR}/man1
+	install -m 644 docs/*.1 ${DESTDIR}${MANDIR}/man1
+endif

-install-completions:
-	install -m 755 -d ${BASHINSTALLDIR}
-	install -m 644 completions/bash/skopeo ${BASHINSTALLDIR}/skopeo
+install-completions: completions
+	install -d -m 755 ${DESTDIR}${BASHINSTALLDIR}
+	install -m 644 completions/bash/skopeo ${DESTDIR}${BASHINSTALLDIR}
+	install -d -m 755 ${DESTDIR}${ZSHINSTALLDIR}
+	install -m 644 completions/zsh/_skopeo ${DESTDIR}${ZSHINSTALLDIR}
+	install -d -m 755 ${DESTDIR}${FISHINSTALLDIR}
+	install -m 644 completions/fish/skopeo.fish ${DESTDIR}${FISHINSTALLDIR}
+	# There is no common location for powershell files so do not install them. Users have to source the file from their powershell profile.

-shell: build-container
+shell:
 	$(CONTAINER_RUN) bash

+tools:
+	if [ ! -x "$(GOBIN)/golangci-lint" ]; then \
+		curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(GOBIN) v$(GOLANGCI_LINT_VERSION) ; \
+	fi
+
 check: validate test-unit test-integration test-system

-# The tests can run out of entropy and block in containers, so replace /dev/random.
-test-integration: build-container
-	$(CONTAINER_RUN) bash -c 'rm -f /dev/random; ln -sf /dev/urandom /dev/random; SKOPEO_CONTAINER_TESTS=1 BUILDTAGS="$(BUILDTAGS)" hack/make.sh test-integration'
+test-integration:
+# This is intended to be equal to $(CONTAINER_RUN), but with --cap-add=cap_mknod.
+# --cap-add=cap_mknod is important to allow skopeo to use containers-storage: directly as it exists in the callers’ environment, without
+# creating a nested user namespace (which requires /etc/subuid and /etc/subgid to be set up)
+	$(CONTAINER_CMD) --security-opt label=disable --cap-add=cap_mknod -v $(CURDIR):$(CONTAINER_GOSRC) -w $(CONTAINER_GOSRC) $(SKOPEO_CIDEV_CONTAINER_FQIN) \
+		$(MAKE) test-integration-local
+
+
+# Intended for CI, assumed to be running in quay.io/libpod/skopeo_cidev container.
+test-integration-local: bin/skopeo
+	hack/warn-destructive-tests.sh
+	hack/test-integration.sh

 # complicated set of options needed to run podman-in-podman
-test-system: build-container
+test-system:
 	DTEMP=$(shell mktemp -d --tmpdir=/var/tmp podman-tmp.XXXXXX); \
 	$(CONTAINER_CMD) --privileged \
-	    -v $$DTEMP:/var/lib/containers:Z -v /run/systemd/journal/socket:/run/systemd/journal/socket \
-            "$(IMAGE)" \
-            bash -c 'BUILDTAGS="$(BUILDTAGS)" hack/make.sh test-system'; \
+		-v $(CURDIR):$(CONTAINER_GOSRC) -w $(CONTAINER_GOSRC) \
+		-v $$DTEMP:/var/lib/containers:Z -v /run/systemd/journal/socket:/run/systemd/journal/socket \
+		"$(SKOPEO_CIDEV_CONTAINER_FQIN)" \
+			$(MAKE) test-system-local; \
 	rc=$$?; \
-	$(RM) -rf $$DTEMP; \
+	$(CONTAINER_RUNTIME) unshare rm -rf $$DTEMP; # This probably doesn't work with Docker, oh well, better than nothing... \
 	exit $$rc

-test-unit: build-container
-	# Just call (make test unit-local) here instead of worrying about environment differences
-	$(CONTAINER_RUN) make test-unit-local BUILDTAGS='$(BUILDTAGS)'
+# Intended for CI, assumed to already be running in quay.io/libpod/skopeo_cidev container.
+test-system-local: bin/skopeo
+	hack/warn-destructive-tests.sh
+	hack/test-system.sh

-validate: build-container
-	$(CONTAINER_RUN) hack/make.sh validate-git-marks validate-gofmt validate-lint validate-vet
+test-unit:
+	# Just call (make test unit-local) here instead of worrying about environment differences
+	$(CONTAINER_RUN) $(MAKE) test-unit-local
+
+validate:
+	$(CONTAINER_RUN) $(MAKE) validate-local

 # This target is only intended for development, e.g. executing it from an IDE. Use (make test) for CI or pre-release testing.
-test-all-local: validate-local test-unit-local
+test-all-local: validate-local validate-docs test-unit-local

+.PHONY: validate-local
 validate-local:
-	hack/make.sh validate-git-marks validate-gofmt validate-lint validate-vet
+	hack/validate-git-marks.sh
+	hack/validate-gofmt.sh
+	GOBIN=$(GOBIN) hack/validate-lint.sh
+	BUILDTAGS="${BUILDTAGS}" hack/validate-vet.sh
+
+# This invokes bin/skopeo, hence cannot be run as part of validate-local
+.PHONY: validate-docs
+validate-docs: bin/skopeo
+	hack/man-page-checker
+	hack/xref-helpmsgs-manpages

 test-unit-local:
-	$(GPGME_ENV) $(GO) test $(MOD_VENDOR) -tags "$(BUILDTAGS)" $$($(GO) list $(MOD_VENDOR) -tags "$(BUILDTAGS)" -e ./... | grep -v '^github\.com/containers/skopeo/\(integration\|vendor/.*\)$$')
+	$(GO) test -tags "$(BUILDTAGS)" $$($(GO) list -tags "$(BUILDTAGS)" -e ./... | grep -v '^github\.com/containers/skopeo/\(integration\|vendor/.*\)$$')

 vendor:
 	$(GO) mod tidy
@@ -209,4 +255,9 @@ vendor:
 	$(GO) mod verify

 vendor-in-container:
-	podman run --privileged --rm --env HOME=/root -v `pwd`:/src -w /src docker.io/library/golang:1.13 make vendor
+	podman run --privileged --rm --env HOME=/root -v $(CURDIR):/src -w /src golang $(MAKE) vendor
+
+# CAUTION: This is not a replacement for RPMs provided by your distro.
+# Only intended to build and test the latest unreleased changes.
+rpm:
+	rpkg local
--- a/17
+++ b/17
@@ -0,0 +1,17 @@
+approvers:
+  - mtrmac
+  - lsm5
+  - TomSweeneyRedHat
+  - rhatdan
+  - vrothberg
+reviewers:
+  - ashley-cui
+  - giuseppe
+  - containers/image-maintainers
+  - lsm5
+  - mtrmac
+  - QiWang19
+  - rhatdan
+  - runcom
+  - TomSweeneyRedHat
+  - vrothberg
--- a/README.md
+++ b/README.md
@@ -1,7 +1,6 @@
-skopeo [![Build Status](https://travis-ci.org/containers/skopeo.svg?branch=master)](https://travis-ci.org/containers/skopeo)
-=
-
-<img src="https://cdn.rawgit.com/containers/skopeo/master/docs/skopeo.svg" width="250">
+<p align="center">
+   <img src="https://cdn.rawgit.com/containers/skopeo/main/docs/skopeo.svg" width="250" alt="Skopeo">
+</p>

 ----

@@ -42,6 +41,14 @@ Skopeo works with API V2 container image registries such as [docker.io](https://
 * oci:path:tag
         An image tag in a directory compliant with "Open Container Image Layout Specification" at path.

+[Obtaining skopeo](./install.md)
+-
+
+For a detailed description how to install or build skopeo, see
+[install.md](./install.md).
+
+Skopeo is also available as a Container Image on [quay.io](https://quay.io/skopeo/stable).  For more information, see the [Skopeo Image](https://github.com/containers/image_build/blob/main/skopeo/README.md) page.
+
 ## Inspecting a repository
 `skopeo` is able to _inspect_ a repository on a container registry and fetch images layers.
 The _inspect_ command fetches the repository's manifest and it is able to show you a `docker inspect`-like
@@ -56,29 +63,37 @@ Examples:
 $ skopeo inspect docker://registry.fedoraproject.org/fedora:latest
 {
    "Name": "registry.fedoraproject.org/fedora",
-    "Digest": "sha256:655721ff613ee766a4126cb5e0d5ae81598e1b0c3bcf7017c36c4d72cb092fe9",
+    "Digest": "sha256:0f65bee641e821f8118acafb44c2f8fe30c2fc6b9a2b3729c0660376391aa117",
    "RepoTags": [
-        "24",
-        "25",
-        "26-modular",
-	...
+        "34-aarch64",
+        "34",
+        "latest",
+        ...
    ],
-    "Created": "2020-04-29T06:48:16Z",
+    "Created": "2022-11-24T13:54:18Z",
    "DockerVersion": "1.10.1",
    "Labels": {
        "license": "MIT",
        "name": "fedora",
        "vendor": "Fedora Project",
-        "version": "32"
+        "version": "37"
    },
    "Architecture": "amd64",
    "Os": "linux",
    "Layers": [
-        "sha256:3088721d7dbf674fc0be64cd3cf00c25aab921cacf35fa0e7b1578500a3e1653"
+        "sha256:2a0fc6bf62e155737f0ace6142ee686f3c471c1aab4241dc3128904db46288f0"
+    ],
+    "LayersData": [
+        {
+            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "Digest": "sha256:2a0fc6bf62e155737f0ace6142ee686f3c471c1aab4241dc3128904db46288f0",
+            "Size": 71355009,
+            "Annotations": null
+        }
    ],
    "Env": [
-        "DISTTAG=f32container",
-        "FGC=f32",
+        "DISTTAG=f37container",
+        "FGC=f37",
        "container=oci"
    ]
 }
@@ -166,11 +181,11 @@ $ skopeo sync --src docker --dest dir registry.example.com/busybox /media/usb
 skopeo uses credentials from the --creds (for skopeo inspect|delete) or --src-creds|--dest-creds (for skopeo copy) flags, if set; otherwise it uses configuration set by skopeo login, podman login, buildah login, or docker login.

 ```console
-$ skopeo login --username USER docker://myregistrydomain.com:5000
+$ skopeo login --username USER myregistrydomain.com:5000
 Password:
 $ skopeo inspect docker://myregistrydomain.com:5000/busybox
 {"Tag":"latest","Digest":"sha256:473bb2189d7b913ed7187a33d11e743fdc2f88931122a44d91a301b64419f092","RepoTags":["latest"],"Comment":"","Created":"2016-01-15T18:06:41.282540103Z","ContainerConfig":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["/bin/sh","-c","#(nop) CMD [\"sh\"]"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"DockerVersion":"1.8.3","Author":"","Config":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["sh"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"Architecture":"amd64","Os":"linux"}
-$ skopeo logout docker://myregistrydomain.com:5000
+$ skopeo logout myregistrydomain.com:5000
 ```

 #### Using --creds directly
@@ -184,12 +199,6 @@ $ skopeo inspect --creds=testuser:testpassword docker://myregistrydomain.com:500
 $ skopeo copy --src-creds=testuser:testpassword docker://myregistrydomain.com:5000/private oci:local_oci_image
 ```

-[Obtaining skopeo](./install.md)
-
-
-For a detailed description how to install or build skopeo, see
-[install.md](./install.md).
-
 Contributing
 -

@@ -200,14 +209,15 @@ Please read the [contribution guide](CONTRIBUTING.md) if you want to collaborate
 | -------------------------------------------------- | ---------------------------------------------------------------------------------------------|
 | [skopeo-copy(1)](/docs/skopeo-copy.1.md)           | Copy an image (manifest, filesystem layers, signatures) from one location to another.        |
 | [skopeo-delete(1)](/docs/skopeo-delete.1.md)       | Mark the image-name for later deletion by the registry's garbage collector.                                                                |
+| [skopeo-generate-sigstore-key(1)](/docs/skopeo-generate-sigstore-key.1.md)    | Generate a sigstore public/private key pair.  |
 | [skopeo-inspect(1)](/docs/skopeo-inspect.1.md)     | Return  low-level  information about image-name in a registry.                                |
 | [skopeo-list-tags(1)](/docs/skopeo-list-tags.1.md) | Return a list of tags for the transport-specific image repository.                               |
 | [skopeo-login(1)](/docs/skopeo-login.1.md)         | Login to a container registry.                                                               |
 | [skopeo-logout(1)](/docs/skopeo-logout.1.md)       | Logout of a container registry.                                                              |
 | [skopeo-manifest-digest(1)](/docs/skopeo-manifest-digest.1.md)    | Compute a manifest digest for a manifest-file and write it to standard output.   |
-| [skopeo-standalone-sign(1)](/docs/skopeo-standalone-sign.1.md)    | Debugging tool - Publish and sign an image in one step.                                                         |
-| [skopeo-standalone-verify(1)](/docs/skopeo-standalone-verify.1.md)| Verify an image signature.                                                    |
-| [skopeo-sync(1)](/docs/skopeo-sync.1.md)           | Synchronize images between container registries and local directories.                       |
+| [skopeo-standalone-sign(1)](/docs/skopeo-standalone-sign.1.md)    | Debugging tool - Sign an image locally without uploading.                     |
+| [skopeo-standalone-verify(1)](/docs/skopeo-standalone-verify.1.md)| Debugging tool - Verify an image signature from local files.                  |
+| [skopeo-sync(1)](/docs/skopeo-sync.1.md)           | Synchronize images between registry repositories and local directories.                      |

 License
 -
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,3 +1,3 @@
 ## Security and Disclosure Information Policy for the skopeo Project

-The skopeo Project follows the [Security and Disclosure Information Policy](https://github.com/containers/common/blob/master/SECURITY.md) for the Containers Projects.
+The skopeo Project follows the [Security and Disclosure Information Policy](https://github.com/containers/common/blob/main/SECURITY.md) for the Containers Projects.
--- a/cmd/skopeo/cgo_pthread_ordering_workaround.go
+++ b/cmd/skopeo/cgo_pthread_ordering_workaround.go
@@ -1,34 +0,0 @@
-// +build !containers_image_openpgp
-
-package main
-
-/*
-This is a pretty horrible workaround.  Due to a glibc bug
-https://bugzilla.redhat.com/show_bug.cgi?id=1326903 , we must ensure we link
-with -lgpgme before -lpthread.  Such arguments come from various packages
-using cgo, and the ordering of these arguments is, with current (go tool link),
-dependent on the order in which the cgo-using packages are found in a
-breadth-first search following dependencies, starting from “main”.
-
-Thus, if
-   import "net"
-is processed before
-   import "…/skopeo/signature"
-it will, in the next level of the BFS, pull in "runtime/cgo" (a dependency of
-"net") before "mtrmac/gpgme" (a dependency of "…/skopeo/signature"), causing
-lpthread (used by "runtime/cgo") to be used before -lgpgme.
-
-This might be possible to work around by careful import ordering, or by removing
-a direct dependency on "net", but that would be very fragile.
-
-So, until the above bug is fixed, add -lgpgme directly in the "main" package
-to ensure the needed build order.
-
-Unfortunately, this workaround needs to be applied at the top level of any user
-of "…/skopeo/signature"; it cannot be added to "…/skopeo/signature" itself,
-by that time this package is first processed by the linker, a -lpthread may
-already be queued and it would be too late.
-*/
-
-// #cgo LDFLAGS: -lgpgme
-import "C"
--- a/cmd/skopeo/completions.go
+++ b/cmd/skopeo/completions.go
@@ -0,0 +1,22 @@
+package main
+
+import (
+	"github.com/containers/image/v5/tarball"
+	"github.com/containers/image/v5/transports"
+	"github.com/spf13/cobra"
+)
+
+// autocompleteSupportedTransports list all supported transports with the colon suffix.
+func autocompleteSupportedTransports(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	tps := transports.ListNames()
+	suggestions := make([]string, 0, len(tps))
+	for _, tp := range tps {
+		// ListNames is generally expected to filter out deprecated transports.
+		// tarball: is not deprecated, but it is only usable from a Go caller (using tarball.ConfigUpdater),
+		// so don’t offer it on the CLI.
+		if tp != tarball.Transport.Name() {
+			suggestions = append(suggestions, tp+":")
+		}
+	}
+	return suggestions, cobra.ShellCompDirectiveNoFileComp
+}
--- a/cmd/skopeo/copy.go
+++ b/cmd/skopeo/copy.go
@@ -4,46 +4,60 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"os"
 	"strings"

+	commonFlag "github.com/containers/common/pkg/flag"
 	"github.com/containers/common/pkg/retry"
 	"github.com/containers/image/v5/copy"
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/pkg/cli"
+	"github.com/containers/image/v5/pkg/cli/sigstore"
+	"github.com/containers/image/v5/signature/signer"
 	"github.com/containers/image/v5/transports"
 	"github.com/containers/image/v5/transports/alltransports"
-	"github.com/spf13/cobra"
-
 	encconfig "github.com/containers/ocicrypt/config"
 	enchelpers "github.com/containers/ocicrypt/helpers"
-	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/spf13/cobra"
 )

 type copyOptions struct {
-	global            *globalOptions
-	srcImage          *imageOptions
-	destImage         *imageDestOptions
-	retryOpts         *retry.RetryOptions
-	additionalTags    []string       // For docker-archive: destinations, in addition to the name:tag specified as destination, also add these
-	removeSignatures  bool           // Do not copy signatures from the source image
-	signByFingerprint string         // Sign the image using a GPG key with the specified fingerprint
-	format            optionalString // Force conversion of the image to a specified format
-	quiet             bool           // Suppress output information when copying images
-	all               bool           // Copy all of the images if the source is a list
-	encryptLayer      []int          // The list of layers to encrypt
-	encryptionKeys    []string       // Keys needed to encrypt the image
-	decryptionKeys    []string       // Keys needed to decrypt the image
+	global                   *globalOptions
+	deprecatedTLSVerify      *deprecatedTLSVerifyOption
+	srcImage                 *imageOptions
+	destImage                *imageDestOptions
+	retryOpts                *retry.Options
+	additionalTags           []string                  // For docker-archive: destinations, in addition to the name:tag specified as destination, also add these
+	removeSignatures         bool                      // Do not copy signatures from the source image
+	signByFingerprint        string                    // Sign the image using a GPG key with the specified fingerprint
+	signBySigstoreParamFile  string                    // Sign the image using a sigstore signature per configuration in a param file
+	signBySigstorePrivateKey string                    // Sign the image using a sigstore private key
+	signPassphraseFile       string                    // Path pointing to a passphrase file when signing (for either signature format, but only one of them)
+	signIdentity             string                    // Identity of the signed image, must be a fully specified docker reference
+	digestFile               string                    // Write digest to this file
+	format                   commonFlag.OptionalString // Force conversion of the image to a specified format
+	quiet                    bool                      // Suppress output information when copying images
+	all                      bool                      // Copy all of the images if the source is a list
+	multiArch                commonFlag.OptionalString // How to handle multi architecture images
+	preserveDigests          bool                      // Preserve digests during copy
+	encryptLayer             []int                     // The list of layers to encrypt
+	encryptionKeys           []string                  // Keys needed to encrypt the image
+	decryptionKeys           []string                  // Keys needed to decrypt the image
+	imageParallelCopies      uint                      // Maximum number of parallel requests when copying images
 }

 func copyCmd(global *globalOptions) *cobra.Command {
 	sharedFlags, sharedOpts := sharedImageFlags()
-	srcFlags, srcOpts := imageFlags(global, sharedOpts, "src-", "screds")
-	destFlags, destOpts := imageDestFlags(global, sharedOpts, "dest-", "dcreds")
+	deprecatedTLSVerifyFlags, deprecatedTLSVerifyOpt := deprecatedTLSVerifyFlags()
+	srcFlags, srcOpts := imageFlags(global, sharedOpts, deprecatedTLSVerifyOpt, "src-", "screds")
+	destFlags, destOpts := imageDestFlags(global, sharedOpts, deprecatedTLSVerifyOpt, "dest-", "dcreds")
 	retryFlags, retryOpts := retryFlags()
 	opts := copyOptions{global: global,
-		srcImage:  srcOpts,
-		destImage: destOpts,
-		retryOpts: retryOpts,
+		deprecatedTLSVerify: deprecatedTLSVerifyOpt,
+		srcImage:            srcOpts,
+		destImage:           destOpts,
+		retryOpts:           retryOpts,
 	}
 	cmd := &cobra.Command{
 		Use:   "copy [command options] SOURCE-IMAGE DESTINATION-IMAGE",
@@ -55,31 +69,63 @@ Supported transports:

 See skopeo(1) section "IMAGE NAMES" for the expected format
 `, strings.Join(transports.ListNames(), ", ")),
-		RunE:    commandAction(opts.run),
-		Example: `skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest`,
+		RunE:              commandAction(opts.run),
+		Example:           `skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest`,
+		ValidArgsFunction: autocompleteSupportedTransports,
 	}
 	adjustUsage(cmd)
 	flags := cmd.Flags()
 	flags.AddFlagSet(&sharedFlags)
+	flags.AddFlagSet(&deprecatedTLSVerifyFlags)
 	flags.AddFlagSet(&srcFlags)
 	flags.AddFlagSet(&destFlags)
 	flags.AddFlagSet(&retryFlags)
 	flags.StringSliceVar(&opts.additionalTags, "additional-tag", []string{}, "additional tags (supports docker-archive)")
 	flags.BoolVarP(&opts.quiet, "quiet", "q", false, "Suppress output information when copying images")
 	flags.BoolVarP(&opts.all, "all", "a", false, "Copy all images if SOURCE-IMAGE is a list")
+	flags.Var(commonFlag.NewOptionalStringValue(&opts.multiArch), "multi-arch", `How to handle multi-architecture images (system, all, or index-only)`)
+	flags.BoolVar(&opts.preserveDigests, "preserve-digests", false, "Preserve digests of images and lists")
 	flags.BoolVar(&opts.removeSignatures, "remove-signatures", false, "Do not copy signatures from SOURCE-IMAGE")
 	flags.StringVar(&opts.signByFingerprint, "sign-by", "", "Sign the image using a GPG key with the specified `FINGERPRINT`")
-	flags.VarP(newOptionalStringValue(&opts.format), "format", "f", `MANIFEST TYPE (oci, v2s1, or v2s2) to use when saving image to directory using the 'dir:' transport (default is manifest type of source)`)
+	flags.StringVar(&opts.signBySigstoreParamFile, "sign-by-sigstore", "", "Sign the image using a sigstore parameter file at `PATH`")
+	flags.StringVar(&opts.signBySigstorePrivateKey, "sign-by-sigstore-private-key", "", "Sign the image using a sigstore private key at `PATH`")
+	flags.StringVar(&opts.signPassphraseFile, "sign-passphrase-file", "", "Read a passphrase for signing an image from `PATH`")
+	flags.StringVar(&opts.signIdentity, "sign-identity", "", "Identity of signed image, must be a fully specified docker reference. Defaults to the target docker reference.")
+	flags.StringVar(&opts.digestFile, "digestfile", "", "Write the digest of the pushed image to the specified file")
+	flags.VarP(commonFlag.NewOptionalStringValue(&opts.format), "format", "f", `MANIFEST TYPE (oci, v2s1, or v2s2) to use in the destination (default is manifest type of source, with fallbacks)`)
 	flags.StringSliceVar(&opts.encryptionKeys, "encryption-key", []string{}, "*Experimental* key with the encryption protocol to use needed to encrypt the image (e.g. jwe:/path/to/key.pem)")
 	flags.IntSliceVar(&opts.encryptLayer, "encrypt-layer", []int{}, "*Experimental* the 0-indexed layer indices, with support for negative indexing (e.g. 0 is the first layer, -1 is the last layer)")
 	flags.StringSliceVar(&opts.decryptionKeys, "decryption-key", []string{}, "*Experimental* key needed to decrypt the image")
+	flags.UintVar(&opts.imageParallelCopies, "image-parallel-copies", 0, "Maximum number of image layers to be copied (pulled/pushed) simultaneously. Not setting this field will fall back to containers/image defaults.")
 	return cmd
 }

-func (opts *copyOptions) run(args []string, stdout io.Writer) error {
+// parseMultiArch parses the list processing selection
+// It returns the copy.ImageListSelection to use with image.Copy option
+func parseMultiArch(multiArch string) (copy.ImageListSelection, error) {
+	switch multiArch {
+	case "system":
+		return copy.CopySystemImage, nil
+	case "all":
+		return copy.CopyAllImages, nil
+	// There is no CopyNoImages value in copy.ImageListSelection, but because we
+	// don't provide an option to select a set of images to copy, we can use
+	// CopySpecificImages.
+	case "index-only":
+		return copy.CopySpecificImages, nil
+	// We don't expose CopySpecificImages other than index-only above, because
+	// we currently don't provide an option to choose the images to copy. That
+	// could be added in the future.
+	default:
+		return copy.CopySystemImage, fmt.Errorf("unknown multi-arch option %q. Choose one of the supported options: 'system', 'all', or 'index-only'", multiArch)
+	}
+}
+
+func (opts *copyOptions) run(args []string, stdout io.Writer) (retErr error) {
 	if len(args) != 2 {
 		return errorShouldDisplayUsage{errors.New("Exactly two arguments expected")}
 	}
+	opts.deprecatedTLSVerify.warnIfUsed([]string{"--src-tls-verify", "--dest-tls-verify"})
 	imageNames := args

 	if err := reexecIfNecessaryForImages(imageNames...); err != nil {
@@ -90,7 +136,11 @@ func (opts *copyOptions) run(args []string, stdout io.Writer) error {
 	if err != nil {
 		return fmt.Errorf("Error loading trust policy: %v", err)
 	}
-	defer policyContext.Destroy()
+	defer func() {
+		if err := policyContext.Destroy(); err != nil {
+			retErr = noteCloseFailure(retErr, "tearing down policy context", err)
+		}
+	}()

 	srcRef, err := alltransports.ParseImageName(imageNames[0])
 	if err != nil {
@@ -111,16 +161,10 @@ func (opts *copyOptions) run(args []string, stdout io.Writer) error {
 	}

 	var manifestType string
-	if opts.format.present {
-		switch opts.format.value {
-		case "oci":
-			manifestType = imgspecv1.MediaTypeImageManifest
-		case "v2s1":
-			manifestType = manifest.DockerV2Schema1SignedMediaType
-		case "v2s2":
-			manifestType = manifest.DockerV2Schema2MediaType
-		default:
-			return fmt.Errorf("unknown format %q. Choose one of the supported formats: 'oci', 'v2s1', or 'v2s2'", opts.format.value)
+	if opts.format.Present() {
+		manifestType, err = parseManifestFormat(opts.format.Value())
+		if err != nil {
+			return err
 		}
 	}

@@ -142,7 +186,17 @@ func (opts *copyOptions) run(args []string, stdout io.Writer) error {
 	if opts.quiet {
 		stdout = nil
 	}
+
 	imageListSelection := copy.CopySystemImage
+	if opts.multiArch.Present() && opts.all {
+		return fmt.Errorf("Cannot use --all and --multi-arch flags together")
+	}
+	if opts.multiArch.Present() {
+		imageListSelection, err = parseMultiArch(opts.multiArch.Value())
+		if err != nil {
+			return err
+		}
+	}
 	if opts.all {
 		imageListSelection = copy.CopyAllImages
 	}
@@ -183,19 +237,85 @@ func (opts *copyOptions) run(args []string, stdout io.Writer) error {
 		decConfig = cc.DecryptConfig
 	}

-	return retry.RetryIfNecessary(ctx, func() error {
-		_, err = copy.Image(ctx, policyContext, destRef, srcRef, &copy.Options{
-			RemoveSignatures:      opts.removeSignatures,
-			SignBy:                opts.signByFingerprint,
-			ReportWriter:          stdout,
-			SourceCtx:             sourceCtx,
-			DestinationCtx:        destinationCtx,
-			ForceManifestMIMEType: manifestType,
-			ImageListSelection:    imageListSelection,
-			OciDecryptConfig:      decConfig,
-			OciEncryptLayers:      encLayers,
-			OciEncryptConfig:      encConfig,
+	// c/image/copy.Image does allow creating both simple signing and sigstore signatures simultaneously,
+	// with independent passphrases, but that would make the CLI probably too confusing.
+	// For now, use the passphrase with either, but only one of them.
+	if opts.signPassphraseFile != "" && opts.signByFingerprint != "" && opts.signBySigstorePrivateKey != "" {
+		return fmt.Errorf("Only one of --sign-by and sign-by-sigstore-private-key can be used with sign-passphrase-file")
+	}
+	var passphrase string
+	if opts.signPassphraseFile != "" {
+		p, err := cli.ReadPassphraseFile(opts.signPassphraseFile)
+		if err != nil {
+			return err
+		}
+		passphrase = p
+	} else if opts.signBySigstorePrivateKey != "" {
+		p, err := promptForPassphrase(opts.signBySigstorePrivateKey, os.Stdin, os.Stdout)
+		if err != nil {
+			return err
+		}
+		passphrase = p
+	} // opts.signByFingerprint triggers a GPG-agent passphrase prompt, possibly using a more secure channel, so we usually shouldn’t prompt ourselves if no passphrase was explicitly provided.
+
+	var signers []*signer.Signer
+	if opts.signBySigstoreParamFile != "" {
+		signer, err := sigstore.NewSignerFromParameterFile(opts.signBySigstoreParamFile, &sigstore.Options{
+			PrivateKeyPassphrasePrompt: func(keyFile string) (string, error) {
+				return promptForPassphrase(keyFile, os.Stdin, os.Stdout)
+			},
+			Stdin:  os.Stdin,
+			Stdout: stdout,
 		})
-		return err
+		if err != nil {
+			return fmt.Errorf("Error using --sign-by-sigstore: %w", err)
+		}
+		defer signer.Close()
+		signers = append(signers, signer)
+	}
+
+	var signIdentity reference.Named = nil
+	if opts.signIdentity != "" {
+		signIdentity, err = reference.ParseNamed(opts.signIdentity)
+		if err != nil {
+			return fmt.Errorf("Could not parse --sign-identity: %v", err)
+		}
+	}
+
+	opts.destImage.warnAboutIneffectiveOptions(destRef.Transport())
+
+	return retry.IfNecessary(ctx, func() error {
+		manifestBytes, err := copy.Image(ctx, policyContext, destRef, srcRef, &copy.Options{
+			RemoveSignatures:                 opts.removeSignatures,
+			Signers:                          signers,
+			SignBy:                           opts.signByFingerprint,
+			SignPassphrase:                   passphrase,
+			SignBySigstorePrivateKeyFile:     opts.signBySigstorePrivateKey,
+			SignSigstorePrivateKeyPassphrase: []byte(passphrase),
+			SignIdentity:                     signIdentity,
+			ReportWriter:                     stdout,
+			SourceCtx:                        sourceCtx,
+			DestinationCtx:                   destinationCtx,
+			ForceManifestMIMEType:            manifestType,
+			ImageListSelection:               imageListSelection,
+			PreserveDigests:                  opts.preserveDigests,
+			OciDecryptConfig:                 decConfig,
+			OciEncryptLayers:                 encLayers,
+			OciEncryptConfig:                 encConfig,
+			MaxParallelDownloads:             opts.imageParallelCopies,
+		})
+		if err != nil {
+			return err
+		}
+		if opts.digestFile != "" {
+			manifestDigest, err := manifest.Digest(manifestBytes)
+			if err != nil {
+				return err
+			}
+			if err = os.WriteFile(opts.digestFile, []byte(manifestDigest.String()), 0644); err != nil {
+				return fmt.Errorf("Failed to write digest to file %q: %w", opts.digestFile, err)
+			}
+		}
+		return nil
 	}, opts.retryOpts)
 }
--- a/cmd/skopeo/copy_test.go
+++ b/cmd/skopeo/copy_test.go
@@ -0,0 +1,18 @@
+package main
+
+import "testing"
+
+func TestCopy(t *testing.T) {
+	// Invalid command-line arguments
+	for _, args := range [][]string{
+		{},
+		{"a1"},
+		{"a1", "a2", "a3"},
+	} {
+		out, err := runSkopeo(append([]string{"--insecure-policy", "copy"}, args...)...)
+		assertTestFailed(t, out, err, "Exactly two arguments expected")
+	}
+
+	// FIXME: Much more test coverage
+	// Actual feature tests exist in integration and systemtest
+}
--- a/cmd/skopeo/delete.go
+++ b/cmd/skopeo/delete.go
@@ -15,12 +15,12 @@ import (
 type deleteOptions struct {
 	global    *globalOptions
 	image     *imageOptions
-	retryOpts *retry.RetryOptions
+	retryOpts *retry.Options
 }

 func deleteCmd(global *globalOptions) *cobra.Command {
 	sharedFlags, sharedOpts := sharedImageFlags()
-	imageFlags, imageOpts := imageFlags(global, sharedOpts, "", "")
+	imageFlags, imageOpts := imageFlags(global, sharedOpts, nil, "", "")
 	retryFlags, retryOpts := retryFlags()
 	opts := deleteOptions{
 		global:    global,
@@ -35,8 +35,9 @@ Supported transports:
 %s
 See skopeo(1) section "IMAGE NAMES" for the expected format
 `, strings.Join(transports.ListNames(), ", ")),
-		RunE:    commandAction(opts.run),
-		Example: `skopeo delete docker://registry.example.com/example/pause:latest`,
+		RunE:              commandAction(opts.run),
+		Example:           `skopeo delete docker://registry.example.com/example/pause:latest`,
+		ValidArgsFunction: autocompleteSupportedTransports,
 	}
 	adjustUsage(cmd)
 	flags := cmd.Flags()
@@ -69,7 +70,7 @@ func (opts *deleteOptions) run(args []string, stdout io.Writer) error {
 	ctx, cancel := opts.global.commandTimeoutContext()
 	defer cancel()

-	return retry.RetryIfNecessary(ctx, func() error {
+	return retry.IfNecessary(ctx, func() error {
 		return ref.DeleteImage(ctx, sys)
 	}, opts.retryOpts)
 }
--- a/cmd/skopeo/flag.go
+++ b/cmd/skopeo/flag.go
@@ -1,129 +0,0 @@
-package main
-
-import (
-	"strconv"
-
-	"github.com/spf13/pflag"
-)
-
-// optionalBool is a boolean with a separate presence flag.
-type optionalBool struct {
-	present bool
-	value   bool
-}
-
-// optionalBool is a cli.Generic == flag.Value implementation equivalent to
-// the one underlying flag.Bool, except that it records whether the flag has been set.
-// This is distinct from optionalBool to (pretend to) force callers to use
-// optionalBoolFlag
-type optionalBoolValue optionalBool
-
-func optionalBoolFlag(fs *pflag.FlagSet, p *optionalBool, name, usage string) *pflag.Flag {
-	flag := fs.VarPF(internalNewOptionalBoolValue(p), name, "", usage)
-	flag.NoOptDefVal = "true"
-	return flag
-}
-
-// WARNING: Do not directly use this method to define optionalBool flag.
-// Caller should use optionalBoolFlag
-func internalNewOptionalBoolValue(p *optionalBool) pflag.Value {
-	p.present = false
-	return (*optionalBoolValue)(p)
-}
-
-func (ob *optionalBoolValue) Set(s string) error {
-	v, err := strconv.ParseBool(s)
-	if err != nil {
-		return err
-	}
-	ob.value = v
-	ob.present = true
-	return nil
-}
-
-func (ob *optionalBoolValue) String() string {
-	if !ob.present {
-		return "" // This is, sadly, not round-trip safe: --flag is interpreted as --flag=true
-	}
-	return strconv.FormatBool(ob.value)
-}
-
-func (ob *optionalBoolValue) Type() string {
-	return "bool"
-}
-
-func (ob *optionalBoolValue) IsBoolFlag() bool {
-	return true
-}
-
-// optionalString is a string with a separate presence flag.
-type optionalString struct {
-	present bool
-	value   string
-}
-
-// optionalString is a cli.Generic == flag.Value implementation equivalent to
-// the one underlying flag.String, except that it records whether the flag has been set.
-// This is distinct from optionalString to (pretend to) force callers to use
-// newoptionalString
-type optionalStringValue optionalString
-
-func newOptionalStringValue(p *optionalString) pflag.Value {
-	p.present = false
-	return (*optionalStringValue)(p)
-}
-
-func (ob *optionalStringValue) Set(s string) error {
-	ob.value = s
-	ob.present = true
-	return nil
-}
-
-func (ob *optionalStringValue) String() string {
-	if !ob.present {
-		return "" // This is, sadly, not round-trip safe: --flag= is interpreted as {present:true, value:""}
-	}
-	return ob.value
-}
-
-func (ob *optionalStringValue) Type() string {
-	return "string"
-}
-
-// optionalInt is a int with a separate presence flag.
-type optionalInt struct {
-	present bool
-	value   int
-}
-
-// optionalInt is a cli.Generic == flag.Value implementation equivalent to
-// the one underlying flag.Int, except that it records whether the flag has been set.
-// This is distinct from optionalInt to (pretend to) force callers to use
-// newoptionalIntValue
-type optionalIntValue optionalInt
-
-func newOptionalIntValue(p *optionalInt) pflag.Value {
-	p.present = false
-	return (*optionalIntValue)(p)
-}
-
-func (ob *optionalIntValue) Set(s string) error {
-	v, err := strconv.ParseInt(s, 0, strconv.IntSize)
-	if err != nil {
-		return err
-	}
-	ob.value = int(v)
-	ob.present = true
-	return nil
-}
-
-func (ob *optionalIntValue) String() string {
-	if !ob.present {
-		return "" // If the value is not present, just return an empty string, any other value wouldn't make sense.
-	}
-	return strconv.Itoa(int(ob.value))
-}
-
-func (ob *optionalIntValue) Type() string {
-	return "int"
-}
--- a/cmd/skopeo/flag_test.go
+++ b/cmd/skopeo/flag_test.go
@@ -1,222 +0,0 @@
-package main
-
-import (
-	"testing"
-
-	"github.com/spf13/cobra"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestOptionalBoolSet(t *testing.T) {
-	for _, c := range []struct {
-		input    string
-		accepted bool
-		value    bool
-	}{
-		// Valid inputs documented for strconv.ParseBool == flag.BoolVar
-		{"1", true, true},
-		{"t", true, true},
-		{"T", true, true},
-		{"TRUE", true, true},
-		{"true", true, true},
-		{"True", true, true},
-		{"0", true, false},
-		{"f", true, false},
-		{"F", true, false},
-		{"FALSE", true, false},
-		{"false", true, false},
-		{"False", true, false},
-		// A few invalid inputs
-		{"", false, false},
-		{"yes", false, false},
-		{"no", false, false},
-		{"2", false, false},
-	} {
-		var ob optionalBool
-		v := internalNewOptionalBoolValue(&ob)
-		require.False(t, ob.present)
-		err := v.Set(c.input)
-		if c.accepted {
-			assert.NoError(t, err, c.input)
-			assert.Equal(t, c.value, ob.value)
-		} else {
-			assert.Error(t, err, c.input)
-			assert.False(t, ob.present) // Just to be extra paranoid.
-		}
-	}
-
-	// Nothing actually explicitly says that .Set() is never called when the flag is not present on the command line;
-	// so, check that it is not being called, at least in the straightforward case (it's not possible to test that it
-	// is not called in any possible situation).
-	var globalOB, commandOB optionalBool
-	actionRun := false
-	app := &cobra.Command{
-		Use: "app",
-	}
-	optionalBoolFlag(app.PersistentFlags(), &globalOB, "global-OB", "")
-	cmd := &cobra.Command{
-		Use: "cmd",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			assert.False(t, globalOB.present)
-			assert.False(t, commandOB.present)
-			actionRun = true
-			return nil
-		},
-	}
-	optionalBoolFlag(cmd.Flags(), &commandOB, "command-OB", "")
-	app.AddCommand(cmd)
-	app.SetArgs([]string{"cmd"})
-	err := app.Execute()
-	require.NoError(t, err)
-	assert.True(t, actionRun)
-}
-
-func TestOptionalBoolString(t *testing.T) {
-	for _, c := range []struct {
-		input    optionalBool
-		expected string
-	}{
-		{optionalBool{present: true, value: true}, "true"},
-		{optionalBool{present: true, value: false}, "false"},
-		{optionalBool{present: false, value: true}, ""},
-		{optionalBool{present: false, value: false}, ""},
-	} {
-		var ob optionalBool
-		v := internalNewOptionalBoolValue(&ob)
-		ob = c.input
-		res := v.String()
-		assert.Equal(t, c.expected, res)
-	}
-}
-
-func TestOptionalBoolIsBoolFlag(t *testing.T) {
-	// IsBoolFlag means that the argument value must either be part of the same argument, with =;
-	// if there is no =, the value is set to true.
-	// This differs form other flags, where the argument is required and may be either separated with = or supplied in the next argument.
-	for _, c := range []struct {
-		input        []string
-		expectedOB   optionalBool
-		expectedArgs []string
-	}{
-		{[]string{"1", "2"}, optionalBool{present: false}, []string{"1", "2"}},                                       // Flag not present
-		{[]string{"--OB=true", "1", "2"}, optionalBool{present: true, value: true}, []string{"1", "2"}},              // --OB=true
-		{[]string{"--OB=false", "1", "2"}, optionalBool{present: true, value: false}, []string{"1", "2"}},            // --OB=false
-		{[]string{"--OB", "true", "1", "2"}, optionalBool{present: true, value: true}, []string{"true", "1", "2"}},   // --OB true
-		{[]string{"--OB", "false", "1", "2"}, optionalBool{present: true, value: true}, []string{"false", "1", "2"}}, // --OB false
-	} {
-		var ob optionalBool
-		actionRun := false
-		app := &cobra.Command{Use: "app"}
-		cmd := &cobra.Command{
-			Use: "cmd",
-			RunE: func(cmd *cobra.Command, args []string) error {
-				assert.Equal(t, c.expectedOB, ob)
-				assert.Equal(t, c.expectedArgs, args)
-				actionRun = true
-				return nil
-			},
-		}
-		optionalBoolFlag(cmd.Flags(), &ob, "OB", "")
-		app.AddCommand(cmd)
-
-		app.SetArgs(append([]string{"cmd"}, c.input...))
-		err := app.Execute()
-		require.NoError(t, err)
-		assert.True(t, actionRun)
-	}
-}
-
-func TestOptionalStringSet(t *testing.T) {
-	// Really just a smoke test, but differentiating between not present and empty.
-	for _, c := range []string{"", "hello"} {
-		var os optionalString
-		v := newOptionalStringValue(&os)
-		require.False(t, os.present)
-		err := v.Set(c)
-		assert.NoError(t, err, c)
-		assert.Equal(t, c, os.value)
-	}
-
-	// Nothing actually explicitly says that .Set() is never called when the flag is not present on the command line;
-	// so, check that it is not being called, at least in the straightforward case (it's not possible to test that it
-	// is not called in any possible situation).
-	var globalOS, commandOS optionalString
-	actionRun := false
-	app := &cobra.Command{
-		Use: "app",
-	}
-	app.PersistentFlags().Var(newOptionalStringValue(&globalOS), "global-OS", "")
-	cmd := &cobra.Command{
-		Use: "cmd",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			assert.False(t, globalOS.present)
-			assert.False(t, commandOS.present)
-			actionRun = true
-			return nil
-		},
-	}
-	cmd.Flags().Var(newOptionalStringValue(&commandOS), "command-OS", "")
-	app.AddCommand(cmd)
-	app.SetArgs([]string{"cmd"})
-	err := app.Execute()
-	require.NoError(t, err)
-	assert.True(t, actionRun)
-}
-
-func TestOptionalStringString(t *testing.T) {
-	for _, c := range []struct {
-		input    optionalString
-		expected string
-	}{
-		{optionalString{present: true, value: "hello"}, "hello"},
-		{optionalString{present: true, value: ""}, ""},
-		{optionalString{present: false, value: "hello"}, ""},
-		{optionalString{present: false, value: ""}, ""},
-	} {
-		var os optionalString
-		v := newOptionalStringValue(&os)
-		os = c.input
-		res := v.String()
-		assert.Equal(t, c.expected, res)
-	}
-}
-
-func TestOptionalStringIsBoolFlag(t *testing.T) {
-	// NOTE: optionalStringValue does not implement IsBoolFlag!
-	// IsBoolFlag means that the argument value must either be part of the same argument, with =;
-	// if there is no =, the value is set to true.
-	// This differs form other flags, where the argument is required and may be either separated with = or supplied in the next argument.
-	for _, c := range []struct {
-		input        []string
-		expectedOS   optionalString
-		expectedArgs []string
-	}{
-		{[]string{"1", "2"}, optionalString{present: false}, []string{"1", "2"}},                                 // Flag not present
-		{[]string{"--OS=hello", "1", "2"}, optionalString{present: true, value: "hello"}, []string{"1", "2"}},    // --OS=true
-		{[]string{"--OS=", "1", "2"}, optionalString{present: true, value: ""}, []string{"1", "2"}},              // --OS=false
-		{[]string{"--OS", "hello", "1", "2"}, optionalString{present: true, value: "hello"}, []string{"1", "2"}}, // --OS true
-		{[]string{"--OS", "", "1", "2"}, optionalString{present: true, value: ""}, []string{"1", "2"}},           // --OS false
-	} {
-		var os optionalString
-		actionRun := false
-		app := &cobra.Command{
-			Use: "app",
-		}
-		cmd := &cobra.Command{
-			Use: "cmd",
-			RunE: func(cmd *cobra.Command, args []string) error {
-				assert.Equal(t, c.expectedOS, os)
-				assert.Equal(t, c.expectedArgs, args)
-				actionRun = true
-				return nil
-			},
-		}
-		cmd.Flags().Var(newOptionalStringValue(&os), "OS", "")
-		app.AddCommand(cmd)
-		app.SetArgs(append([]string{"cmd"}, c.input...))
-		err := app.Execute()
-		require.NoError(t, err)
-		assert.True(t, actionRun)
-	}
-}
--- a/cmd/skopeo/generate_sigstore_key.go
+++ b/cmd/skopeo/generate_sigstore_key.go
@@ -0,0 +1,90 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"os"
+
+	"github.com/containers/image/v5/pkg/cli"
+	"github.com/containers/image/v5/signature/sigstore"
+	"github.com/spf13/cobra"
+)
+
+type generateSigstoreKeyOptions struct {
+	outputPrefix   string
+	passphraseFile string
+}
+
+func generateSigstoreKeyCmd() *cobra.Command {
+	var opts generateSigstoreKeyOptions
+	cmd := &cobra.Command{
+		Use:     "generate-sigstore-key [command options] --output-prefix PREFIX",
+		Short:   "Generate a sigstore public/private key pair",
+		RunE:    commandAction(opts.run),
+		Example: "skopeo generate-sigstore-key --output-prefix my-key",
+	}
+	adjustUsage(cmd)
+	flags := cmd.Flags()
+	flags.StringVar(&opts.outputPrefix, "output-prefix", "", "Write the keys to `PREFIX`.pub and `PREFIX`.private")
+	flags.StringVar(&opts.passphraseFile, "passphrase-file", "", "Read a passphrase for the private key from `PATH`")
+	return cmd
+}
+
+// ensurePathDoesNotExist verifies that path does not refer to an existing file,
+// and returns an error if so.
+func ensurePathDoesNotExist(path string) error {
+	switch _, err := os.Stat(path); {
+	case err == nil:
+		return fmt.Errorf("Refusing to overwrite existing %q", path)
+	case errors.Is(err, fs.ErrNotExist):
+		return nil
+	default:
+		return fmt.Errorf("Error checking existence of %q: %w", path, err)
+	}
+}
+
+func (opts *generateSigstoreKeyOptions) run(args []string, stdout io.Writer) error {
+	if len(args) != 0 || opts.outputPrefix == "" {
+		return errors.New("Usage: generate-sigstore-key --output-prefix PREFIX")
+	}
+
+	pubKeyPath := opts.outputPrefix + ".pub"
+	privateKeyPath := opts.outputPrefix + ".private"
+	if err := ensurePathDoesNotExist(pubKeyPath); err != nil {
+		return err
+	}
+	if err := ensurePathDoesNotExist(privateKeyPath); err != nil {
+		return err
+	}
+
+	var passphrase string
+	if opts.passphraseFile != "" {
+		p, err := cli.ReadPassphraseFile(opts.passphraseFile)
+		if err != nil {
+			return err
+		}
+		passphrase = p
+	} else {
+		p, err := promptForPassphrase(privateKeyPath, os.Stdin, os.Stdout)
+		if err != nil {
+			return err
+		}
+		passphrase = p
+	}
+
+	keys, err := sigstore.GenerateKeyPair([]byte(passphrase))
+	if err != nil {
+		return fmt.Errorf("Error generating key pair: %w", err)
+	}
+
+	if err := os.WriteFile(privateKeyPath, keys.PrivateKey, 0600); err != nil {
+		return fmt.Errorf("Error writing private key to %q: %w", privateKeyPath, err)
+	}
+	if err := os.WriteFile(pubKeyPath, keys.PublicKey, 0644); err != nil {
+		return fmt.Errorf("Error writing private key to %q: %w", pubKeyPath, err)
+	}
+	fmt.Fprintf(stdout, "Key written to %q and %q", privateKeyPath, pubKeyPath)
+	return nil
+}
--- a/cmd/skopeo/generate_sigstore_key_test.go
+++ b/cmd/skopeo/generate_sigstore_key_test.go
@@ -0,0 +1,79 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGenerateSigstoreKey(t *testing.T) {
+	// Invalid command-line arguments
+	for _, args := range [][]string{
+		{},
+		{"--output-prefix", "foo", "a1"},
+	} {
+		out, err := runSkopeo(append([]string{"generate-sigstore-key"}, args...)...)
+		assertTestFailed(t, out, err, "Usage")
+	}
+
+	// One of the destination files already exists
+	outputSuffixes := []string{".pub", ".private"}
+	for _, suffix := range outputSuffixes {
+		dir := t.TempDir()
+		prefix := filepath.Join(dir, "prefix")
+		err := os.WriteFile(prefix+suffix, []byte{}, 0600)
+		require.NoError(t, err)
+		out, err := runSkopeo("generate-sigstore-key",
+			"--output-prefix", prefix, "--passphrase-file", "/dev/null",
+		)
+		assertTestFailed(t, out, err, "Refusing to overwrite")
+	}
+
+	// One of the destinations is inaccessible (simulate by a symlink that tries to
+	// traverse a non-directory)
+	for _, suffix := range outputSuffixes {
+		dir := t.TempDir()
+		nonDirectory := filepath.Join(dir, "nondirectory")
+		err := os.WriteFile(nonDirectory, []byte{}, 0600)
+		require.NoError(t, err)
+		prefix := filepath.Join(dir, "prefix")
+		err = os.Symlink(filepath.Join(nonDirectory, "unaccessible"), prefix+suffix)
+		require.NoError(t, err)
+		out, err := runSkopeo("generate-sigstore-key",
+			"--output-prefix", prefix, "--passphrase-file", "/dev/null",
+		)
+		assertTestFailed(t, out, err, prefix+suffix) // + an OS-specific error message
+	}
+	destDir := t.TempDir()
+	// Error reading passphrase
+	out, err := runSkopeo("generate-sigstore-key",
+		"--output-prefix", filepath.Join(destDir, "prefix"),
+		"--passphrase-file", filepath.Join(destDir, "this-does-not-exist"),
+	)
+	assertTestFailed(t, out, err, "this-does-not-exist")
+
+	// (The interactive passphrase prompting is not yet tested)
+
+	// Error writing outputs is untested: when unit tests run as root, we can’t use permissions on a directory to cause write failures,
+	// with the --output-prefix mechanism, and refusing to even start writing to pre-exisiting files, directories are the only mechanism
+	// we have to trigger a write failure.
+
+	// Success
+	// Just a smoke-test, usability of the keys is tested in the generate implementation.
+	dir := t.TempDir()
+	prefix := filepath.Join(dir, "prefix")
+	passphraseFile := filepath.Join(dir, "passphrase")
+	err = os.WriteFile(passphraseFile, []byte("some passphrase"), 0600)
+	require.NoError(t, err)
+	out, err = runSkopeo("generate-sigstore-key",
+		"--output-prefix", prefix, "--passphrase-file", passphraseFile,
+	)
+	assert.NoError(t, err)
+	for _, suffix := range outputSuffixes {
+		assert.Contains(t, out, prefix+suffix)
+	}
+
+}
--- a/cmd/skopeo/inspect.go
+++ b/cmd/skopeo/inspect.go
@@ -2,12 +2,10 @@ package main

 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
-	"os"
 	"strings"
-	"text/tabwriter"
-	"text/template"

 	"github.com/containers/common/pkg/report"
 	"github.com/containers/common/pkg/retry"
@@ -17,24 +15,25 @@ import (
 	"github.com/containers/image/v5/transports"
 	"github.com/containers/image/v5/types"
 	"github.com/containers/skopeo/cmd/skopeo/inspect"
+	"github.com/docker/distribution/registry/api/errcode"
 	v1 "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 )

 type inspectOptions struct {
-	global    *globalOptions
-	image     *imageOptions
-	retryOpts *retry.RetryOptions
-	format    string
-	raw       bool // Output the raw manifest instead of parsing information about the image
-	config    bool // Output the raw config blob instead of parsing information about the image
+	global        *globalOptions
+	image         *imageOptions
+	retryOpts     *retry.Options
+	format        string
+	raw           bool // Output the raw manifest instead of parsing information about the image
+	config        bool // Output the raw config blob instead of parsing information about the image
+	doNotListTags bool // Do not list all tags available in the same repository
 }

 func inspectCmd(global *globalOptions) *cobra.Command {
 	sharedFlags, sharedOpts := sharedImageFlags()
-	imageFlags, imageOpts := imageFlags(global, sharedOpts, "", "")
+	imageFlags, imageOpts := imageFlags(global, sharedOpts, nil, "", "")
 	retryFlags, retryOpts := retryFlags()
 	opts := inspectOptions{
 		global:    global,
@@ -52,14 +51,16 @@ See skopeo(1) section "IMAGE NAMES" for the expected format
 `, strings.Join(transports.ListNames(), ", ")),
 		RunE: commandAction(opts.run),
 		Example: `skopeo inspect docker://registry.fedoraproject.org/fedora
-  skopeo inspect --config docker://docker.io/alpine
-  skopeo inspect  --format "Name: {{.Name}} Digest: {{.Digest}}" docker://registry.access.redhat.com/ubi8`,
+skopeo inspect --config docker://docker.io/alpine
+skopeo inspect --format "Name: {{.Name}} Digest: {{.Digest}}" docker://registry.access.redhat.com/ubi8`,
+		ValidArgsFunction: autocompleteSupportedTransports,
 	}
 	adjustUsage(cmd)
 	flags := cmd.Flags()
 	flags.BoolVar(&opts.raw, "raw", false, "output raw manifest or configuration")
 	flags.BoolVar(&opts.config, "config", false, "output configuration")
 	flags.StringVarP(&opts.format, "format", "f", "", "Format the output to a Go template")
+	flags.BoolVarP(&opts.doNotListTags, "no-tags", "n", false, "Do not list the available tags from the repository in the output")
 	flags.AddFlagSet(&sharedFlags)
 	flags.AddFlagSet(&imageFlags)
 	flags.AddFlagSet(&retryFlags)
@@ -71,7 +72,6 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)
 		rawManifest []byte
 		src         types.ImageSource
 		imgInspect  *types.ImageInspectInfo
-		data        []interface{}
 	)
 	ctx, cancel := opts.global.commandTimeoutContext()
 	defer cancel()
@@ -93,30 +93,30 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)
 		return err
 	}

-	if err := retry.RetryIfNecessary(ctx, func() error {
+	if err := retry.IfNecessary(ctx, func() error {
 		src, err = parseImageSource(ctx, opts.image, imageName)
 		return err
 	}, opts.retryOpts); err != nil {
-		return errors.Wrapf(err, "Error parsing image name %q", imageName)
+		return fmt.Errorf("Error parsing image name %q: %w", imageName, err)
 	}

 	defer func() {
 		if err := src.Close(); err != nil {
-			retErr = errors.Wrapf(retErr, fmt.Sprintf("(could not close image: %v) ", err))
+			retErr = noteCloseFailure(retErr, "closing image", err)
 		}
 	}()

-	if err := retry.RetryIfNecessary(ctx, func() error {
+	if err := retry.IfNecessary(ctx, func() error {
 		rawManifest, _, err = src.GetManifest(ctx, nil)
 		return err
 	}, opts.retryOpts); err != nil {
-		return errors.Wrapf(err, "Error retrieving manifest for image")
+		return fmt.Errorf("Error retrieving manifest for image: %w", err)
 	}

 	if opts.raw && !opts.config {
 		_, err := stdout.Write(rawManifest)
 		if err != nil {
-			return fmt.Errorf("Error writing manifest to standard output: %v", err)
+			return fmt.Errorf("Error writing manifest to standard output: %w", err)
 		}

 		return nil
@@ -124,48 +124,37 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)

 	img, err := image.FromUnparsedImage(ctx, sys, image.UnparsedInstance(src, nil))
 	if err != nil {
-		return errors.Wrapf(err, "Error parsing manifest for image")
+		return fmt.Errorf("Error parsing manifest for image: %w", err)
 	}

 	if opts.config && opts.raw {
 		var configBlob []byte
-		if err := retry.RetryIfNecessary(ctx, func() error {
+		if err := retry.IfNecessary(ctx, func() error {
 			configBlob, err = img.ConfigBlob(ctx)
 			return err
 		}, opts.retryOpts); err != nil {
-			return errors.Wrapf(err, "Error reading configuration blob")
+			return fmt.Errorf("Error reading configuration blob: %w", err)
 		}
 		_, err = stdout.Write(configBlob)
 		if err != nil {
-			return errors.Wrapf(err, "Error writing configuration blob to standard output")
+			return fmt.Errorf("Error writing configuration blob to standard output: %w", err)
 		}
 		return nil
 	} else if opts.config {
 		var config *v1.Image
-		if err := retry.RetryIfNecessary(ctx, func() error {
+		if err := retry.IfNecessary(ctx, func() error {
 			config, err = img.OCIConfig(ctx)
 			return err
 		}, opts.retryOpts); err != nil {
-			return errors.Wrapf(err, "Error reading OCI-formatted configuration data")
+			return fmt.Errorf("Error reading OCI-formatted configuration data: %w", err)
 		}
-		if report.IsJSON(opts.format) || opts.format == "" {
-			var out []byte
-			out, err = json.MarshalIndent(config, "", "    ")
-			if err == nil {
-				fmt.Fprintf(stdout, "%s\n", string(out))
-			}
-		} else {
-			row := "{{range . }}" + report.NormalizeFormat(opts.format) + "{{end}}"
-			data = append(data, config)
-			err = printTmpl(row, data)
-		}
-		if err != nil {
-			return errors.Wrapf(err, "Error writing OCI-formatted configuration data to standard output")
+		if err := opts.writeOutput(stdout, config); err != nil {
+			return fmt.Errorf("Error writing OCI-formatted configuration data to standard output: %w", err)
 		}
 		return nil
 	}

-	if err := retry.RetryIfNecessary(ctx, func() error {
+	if err := retry.IfNecessary(ctx, func() error {
 		imgInspect, err = img.Inspect(ctx)
 		return err
 	}, opts.retryOpts); err != nil {
@@ -183,57 +172,65 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)
 		Architecture:  imgInspect.Architecture,
 		Os:            imgInspect.Os,
 		Layers:        imgInspect.Layers,
+		LayersData:    imgInspect.LayersData,
 		Env:           imgInspect.Env,
 	}
 	outputData.Digest, err = manifest.Digest(rawManifest)
 	if err != nil {
-		return errors.Wrapf(err, "Error computing manifest digest")
+		return fmt.Errorf("Error computing manifest digest: %w", err)
 	}
 	if dockerRef := img.Reference().DockerReference(); dockerRef != nil {
 		outputData.Name = dockerRef.Name()
 	}
-	if img.Reference().Transport() == docker.Transport {
+	if !opts.doNotListTags && img.Reference().Transport() == docker.Transport {
 		sys, err := opts.image.newSystemContext()
 		if err != nil {
 			return err
 		}
 		outputData.RepoTags, err = docker.GetRepositoryTags(ctx, sys, img.Reference())
 		if err != nil {
-			// some registries may decide to block the "list all tags" endpoint
-			// gracefully allow the inspect to continue in this case. Currently
-			// the IBM Bluemix container registry has this restriction.
-			// In addition, AWS ECR rejects it with 403 (Forbidden) if the "ecr:ListImages"
-			// action is not allowed.
-			if !strings.Contains(err.Error(), "401") && !strings.Contains(err.Error(), "403") {
-				return errors.Wrapf(err, "Error determining repository tags")
+			// Some registries may decide to block the "list all tags" endpoint;
+			// gracefully allow the inspect to continue in this case:
+			fatalFailure := true
+			// - AWS ECR rejects it if the "ecr:ListImages" action is not allowed.
+			//   https://github.com/containers/skopeo/issues/726
+			var ec errcode.ErrorCoder
+			if ok := errors.As(err, &ec); ok && ec.ErrorCode() == errcode.ErrorCodeDenied {
+				fatalFailure = false
+			}
+			// - public.ecr.aws does not implement the endpoint at all, and fails with 404:
+			//   https://github.com/containers/skopeo/issues/1230
+			//   This is actually "code":"NOT_FOUND", and the parser doesn’t preserve that.
+			//   So, also check the error text.
+			if ok := errors.As(err, &ec); ok && ec.ErrorCode() == errcode.ErrorCodeUnknown {
+				var e errcode.Error
+				if ok := errors.As(err, &e); ok && e.Code == errcode.ErrorCodeUnknown && e.Message == "404 page not found" {
+					fatalFailure = false
+				}
+			}
+			if fatalFailure {
+				return fmt.Errorf("Error determining repository tags: %w", err)
 			}
 			logrus.Warnf("Registry disallows tag list retrieval; skipping")
 		}
 	}
+	return opts.writeOutput(stdout, outputData)
+}
+
+// writeOutput writes data depending on opts.format to stdout
+func (opts *inspectOptions) writeOutput(stdout io.Writer, data any) error {
 	if report.IsJSON(opts.format) || opts.format == "" {
-		out, err := json.MarshalIndent(outputData, "", "    ")
+		out, err := json.MarshalIndent(data, "", "    ")
 		if err == nil {
 			fmt.Fprintf(stdout, "%s\n", string(out))
 		}
 		return err
 	}
-	row := "{{range . }}" + report.NormalizeFormat(opts.format) + "{{end}}"
-	data = append(data, outputData)
-	return printTmpl(row, data)
-}

-func inspectNormalize(row string) string {
-	r := strings.NewReplacer(
-		".ImageID", ".Image",
-	)
-	return r.Replace(row)
-}
-
-func printTmpl(row string, data []interface{}) error {
-	t, err := template.New("skopeo inspect").Parse(row)
+	rpt, err := report.New(stdout, "skopeo inspect").Parse(report.OriginUser, opts.format)
 	if err != nil {
 		return err
 	}
-	w := tabwriter.NewWriter(os.Stdout, 8, 2, 2, ' ', 0)
-	return t.Execute(w, data)
+	defer rpt.Flush()
+	return rpt.Execute([]any{data})
 }
--- a/cmd/skopeo/inspect/output.go
+++ b/cmd/skopeo/inspect/output.go
@@ -3,6 +3,7 @@ package inspect
 import (
 	"time"

+	"github.com/containers/image/v5/types"
 	digest "github.com/opencontainers/go-digest"
 )

@@ -19,5 +20,6 @@ type Output struct {
 	Architecture  string
 	Os            string
 	Layers        []string
+	LayersData    []types.ImageInspectLayer
 	Env           []string
 }
--- a/cmd/skopeo/layers.go
+++ b/cmd/skopeo/layers.go
@@ -1,9 +1,9 @@
 package main

 import (
+	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"strings"

@@ -13,19 +13,18 @@ import (
 	"github.com/containers/image/v5/pkg/blobinfocache"
 	"github.com/containers/image/v5/types"
 	"github.com/opencontainers/go-digest"
-	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )

 type layersOptions struct {
 	global    *globalOptions
 	image     *imageOptions
-	retryOpts *retry.RetryOptions
+	retryOpts *retry.Options
 }

 func layersCmd(global *globalOptions) *cobra.Command {
 	sharedFlags, sharedOpts := sharedImageFlags()
-	imageFlags, imageOpts := imageFlags(global, sharedOpts, "", "")
+	imageFlags, imageOpts := imageFlags(global, sharedOpts, nil, "", "")
 	retryFlags, retryOpts := retryFlags()
 	opts := layersOptions{
 		global:    global,
@@ -69,25 +68,25 @@ func (opts *layersOptions) run(args []string, stdout io.Writer) (retErr error) {
 		rawSource types.ImageSource
 		src       types.ImageCloser
 	)
-	if err = retry.RetryIfNecessary(ctx, func() error {
+	if err = retry.IfNecessary(ctx, func() error {
 		rawSource, err = parseImageSource(ctx, opts.image, imageName)
 		return err
 	}, opts.retryOpts); err != nil {
 		return err
 	}
-	if err = retry.RetryIfNecessary(ctx, func() error {
+	if err = retry.IfNecessary(ctx, func() error {
 		src, err = image.FromSource(ctx, sys, rawSource)
 		return err
 	}, opts.retryOpts); err != nil {
 		if closeErr := rawSource.Close(); closeErr != nil {
-			return errors.Wrapf(err, " (close error: %v)", closeErr)
+			return fmt.Errorf("%w (closing image source: %v)", err, closeErr)
 		}

 		return err
 	}
 	defer func() {
 		if err := src.Close(); err != nil {
-			retErr = errors.Wrapf(retErr, " (close error: %v)", err)
+			retErr = noteCloseFailure(retErr, "closing image", err)
 		}
 	}()

@@ -122,7 +121,7 @@ func (opts *layersOptions) run(args []string, stdout io.Writer) (retErr error) {
 		}
 	}

-	tmpDir, err := ioutil.TempDir(".", "layers-")
+	tmpDir, err := os.MkdirTemp(".", "layers-")
 	if err != nil {
 		return err
 	}
@@ -137,7 +136,7 @@ func (opts *layersOptions) run(args []string, stdout io.Writer) (retErr error) {

 	defer func() {
 		if err := dest.Close(); err != nil {
-			retErr = errors.Wrapf(retErr, " (close error: %v)", err)
+			retErr = noteCloseFailure(retErr, "closing destination", err)
 		}
 	}()

@@ -146,7 +145,7 @@ func (opts *layersOptions) run(args []string, stdout io.Writer) (retErr error) {
 			r        io.ReadCloser
 			blobSize int64
 		)
-		if err = retry.RetryIfNecessary(ctx, func() error {
+		if err = retry.IfNecessary(ctx, func() error {
 			r, blobSize, err = rawSource.GetBlob(ctx, types.BlobInfo{Digest: bd.digest, Size: -1}, cache)
 			return err
 		}, opts.retryOpts); err != nil {
@@ -154,14 +153,14 @@ func (opts *layersOptions) run(args []string, stdout io.Writer) (retErr error) {
 		}
 		if _, err := dest.PutBlob(ctx, r, types.BlobInfo{Digest: bd.digest, Size: blobSize}, cache, bd.isConfig); err != nil {
 			if closeErr := r.Close(); closeErr != nil {
-				return errors.Wrapf(err, " (close error: %v)", closeErr)
+				return fmt.Errorf("%w (close error: %v)", err, closeErr)
 			}
 			return err
 		}
 	}

 	var manifest []byte
-	if err = retry.RetryIfNecessary(ctx, func() error {
+	if err = retry.IfNecessary(ctx, func() error {
 		manifest, _, err = src.Manifest(ctx)
 		return err
 	}, opts.retryOpts); err != nil {
--- a/cmd/skopeo/list_tags.go
+++ b/cmd/skopeo/list_tags.go
@@ -3,34 +3,49 @@ package main
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
+	"sort"
 	"strings"

 	"github.com/containers/common/pkg/retry"
 	"github.com/containers/image/v5/docker"
+	"github.com/containers/image/v5/docker/archive"
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/containers/image/v5/types"
-	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
+	"golang.org/x/exp/maps"
 )

 // tagListOutput is the output format of (skopeo list-tags), primarily so that we can format it with a simple json.MarshalIndent.
 type tagListOutput struct {
-	Repository string
+	Repository string `json:",omitempty"`
 	Tags       []string
 }

 type tagsOptions struct {
 	global    *globalOptions
 	image     *imageOptions
-	retryOpts *retry.RetryOptions
+	retryOpts *retry.Options
+}
+
+var transportHandlers = map[string]func(ctx context.Context, sys *types.SystemContext, opts *tagsOptions, userInput string) (repositoryName string, tagListing []string, err error){
+	docker.Transport.Name():  listDockerRepoTags,
+	archive.Transport.Name(): listDockerArchiveTags,
+}
+
+// supportedTransports returns all the supported transports
+func supportedTransports(joinStr string) string {
+	res := maps.Keys(transportHandlers)
+	sort.Strings(res)
+	return strings.Join(res, joinStr)
 }

 func tagsCmd(global *globalOptions) *cobra.Command {
 	sharedFlags, sharedOpts := sharedImageFlags()
-	imageFlags, imageOpts := dockerImageFlags(global, sharedOpts, "", "")
+	imageFlags, imageOpts := dockerImageFlags(global, sharedOpts, nil, "", "")
 	retryFlags, retryOpts := retryFlags()

 	opts := tagsOptions{
@@ -38,13 +53,14 @@ func tagsCmd(global *globalOptions) *cobra.Command {
 		image:     imageOpts,
 		retryOpts: retryOpts,
 	}
+
 	cmd := &cobra.Command{
-		Use:   "list-tags [command options] REPOSITORY-NAME",
-		Short: "List tags in the transport/repository specified by the REPOSITORY-NAME",
-		Long: `Return the list of tags from the transport/repository "REPOSITORY-NAME"
+		Use:   "list-tags [command options] SOURCE-IMAGE",
+		Short: "List tags in the transport/repository specified by the SOURCE-IMAGE",
+		Long: `Return the list of tags from the transport/repository "SOURCE-IMAGE"

 Supported transports:
-docker
+` + supportedTransports(" ") + `

 See skopeo-list-tags(1) section "REPOSITORY NAMES" for the expected format
 `,
@@ -62,16 +78,12 @@ See skopeo-list-tags(1) section "REPOSITORY NAMES" for the expected format
 // Customized version of the alltransports.ParseImageName and docker.ParseReference that does not place a default tag in the reference
 // Would really love to not have this, but needed to enforce tag-less and digest-less names
 func parseDockerRepositoryReference(refString string) (types.ImageReference, error) {
-	if !strings.HasPrefix(refString, docker.Transport.Name()+"://") {
-		return nil, errors.Errorf("docker: image reference %s does not start with %s://", refString, docker.Transport.Name())
+	dockerRefString, ok := strings.CutPrefix(refString, docker.Transport.Name()+"://")
+	if !ok {
+		return nil, fmt.Errorf("docker: image reference %s does not start with %s://", refString, docker.Transport.Name())
 	}

-	parts := strings.SplitN(refString, ":", 2)
-	if len(parts) != 2 {
-		return nil, errors.Errorf(`Invalid image name "%s", expected colon-separated transport:reference`, refString)
-	}
-
-	ref, err := reference.ParseNormalizedNamed(strings.TrimPrefix(parts[1], "//"))
+	ref, err := reference.ParseNormalizedNamed(dockerRefString)
 	if err != nil {
 		return nil, err
 	}
@@ -90,11 +102,63 @@ func listDockerTags(ctx context.Context, sys *types.SystemContext, imgRef types.

 	tags, err := docker.GetRepositoryTags(ctx, sys, imgRef)
 	if err != nil {
-		return ``, nil, fmt.Errorf("Error listing repository tags: %v", err)
+		return ``, nil, fmt.Errorf("Error listing repository tags: %w", err)
 	}
 	return repositoryName, tags, nil
 }

+// return the tagLists from a docker repo
+func listDockerRepoTags(ctx context.Context, sys *types.SystemContext, opts *tagsOptions, userInput string) (repositoryName string, tagListing []string, err error) {
+	// Do transport-specific parsing and validation to get an image reference
+	imgRef, err := parseDockerRepositoryReference(userInput)
+	if err != nil {
+		return
+	}
+	if err = retry.IfNecessary(ctx, func() error {
+		repositoryName, tagListing, err = listDockerTags(ctx, sys, imgRef)
+		return err
+	}, opts.retryOpts); err != nil {
+		return
+	}
+	return
+}
+
+// return the tagLists from a docker archive file
+func listDockerArchiveTags(_ context.Context, sys *types.SystemContext, _ *tagsOptions, userInput string) (repositoryName string, tagListing []string, err error) {
+	ref, err := alltransports.ParseImageName(userInput)
+	if err != nil {
+		return
+	}
+
+	tarReader, _, err := archive.NewReaderForReference(sys, ref)
+	if err != nil {
+		return
+	}
+	defer tarReader.Close()
+
+	imageRefs, err := tarReader.List()
+	if err != nil {
+		return
+	}
+
+	var repoTags []string
+	for imageIndex, items := range imageRefs {
+		for _, ref := range items {
+			repoTags, err = tarReader.ManifestTagsForReference(ref)
+			if err != nil {
+				return
+			}
+			// handle for each untagged image
+			if len(repoTags) == 0 {
+				repoTags = []string{fmt.Sprintf("@%d", imageIndex)}
+			}
+			tagListing = append(tagListing, repoTags...)
+		}
+	}
+
+	return
+}
+
 func (opts *tagsOptions) run(args []string, stdout io.Writer) (retErr error) {
 	ctx, cancel := opts.global.commandTimeoutContext()
 	defer cancel()
@@ -113,23 +177,17 @@ func (opts *tagsOptions) run(args []string, stdout io.Writer) (retErr error) {
 		return fmt.Errorf("Invalid %q: does not specify a transport", args[0])
 	}

-	if transport.Name() != docker.Transport.Name() {
-		return fmt.Errorf("Unsupported transport '%v' for tag listing. Only '%v' currently supported", transport.Name(), docker.Transport.Name())
-	}
-
-	// Do transport-specific parsing and validation to get an image reference
-	imgRef, err := parseDockerRepositoryReference(args[0])
-	if err != nil {
-		return err
-	}
-
 	var repositoryName string
 	var tagListing []string
-	if err = retry.RetryIfNecessary(ctx, func() error {
-		repositoryName, tagListing, err = listDockerTags(ctx, sys, imgRef)
-		return err
-	}, opts.retryOpts); err != nil {
-		return err
+
+	if val, ok := transportHandlers[transport.Name()]; ok {
+		repositoryName, tagListing, err = val(ctx, sys, opts, args[0])
+		if err != nil {
+			return err
+		}
+	} else {
+		return fmt.Errorf("Unsupported transport '%s' for tag listing. Only supported: %s",
+			transport.Name(), supportedTransports(", "))
 	}

 	outputData := tagListOutput{
--- a/cmd/skopeo/list_tags_test.go
+++ b/cmd/skopeo/list_tags_test.go
@@ -5,6 +5,7 @@ import (

 	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 // Tests the kinds of inputs allowed and expected to the command
@@ -15,12 +16,11 @@ func TestDockerRepositoryReferenceParser(t *testing.T) {
 		{"docker://somehost.com"},          // Valid default expansion
 		{"docker://nginx"},                 // Valid default expansion
 	} {
-
 		ref, err := parseDockerRepositoryReference(test[0])
+		require.NoError(t, err)
 		expected, err := alltransports.ParseImageName(test[0])
-		if assert.NoError(t, err, "Could not parse, got error on %v", test[0]) {
-			assert.Equal(t, expected.DockerReference().Name(), ref.DockerReference().Name(), "Mismatched parse result for input %v", test[0])
-		}
+		require.NoError(t, err)
+		assert.Equal(t, expected.DockerReference().Name(), ref.DockerReference().Name(), "Mismatched parse result for input %v", test[0])
 	}

 	for _, test := range [][]string{
@@ -46,7 +46,6 @@ func TestDockerRepositoryReferenceParserDrift(t *testing.T) {
 		{"docker://somehost.com", "docker.io/library/somehost.com"}, // Valid default expansion
 		{"docker://nginx", "docker.io/library/nginx"},               // Valid default expansion
 	} {
-
 		ref, err := parseDockerRepositoryReference(test[0])
 		ref2, err2 := alltransports.ParseImageName(test[0])

@@ -55,3 +54,17 @@ func TestDockerRepositoryReferenceParserDrift(t *testing.T) {
 		}
 	}
 }
+
+func TestListTags(t *testing.T) {
+	// Invalid command-line arguments
+	for _, args := range [][]string{
+		{},
+		{"a1", "a2"},
+	} {
+		out, err := runSkopeo(append([]string{"list-tags"}, args...)...)
+		assertTestFailed(t, out, err, "Exactly one non-option argument expected")
+	}
+
+	// FIXME: Much more test coverage
+	// Actual feature tests exist in systemtest
+}
--- a/cmd/skopeo/login.go
+++ b/cmd/skopeo/login.go
@@ -5,6 +5,7 @@ import (
 	"os"

 	"github.com/containers/common/pkg/auth"
+	commonFlag "github.com/containers/common/pkg/flag"
 	"github.com/containers/image/v5/types"
 	"github.com/spf13/cobra"
 )
@@ -12,8 +13,7 @@ import (
 type loginOptions struct {
 	global    *globalOptions
 	loginOpts auth.LoginOptions
-	getLogin  optionalBool
-	tlsVerify optionalBool
+	tlsVerify commonFlag.OptionalBool
 }

 func loginCmd(global *globalOptions) *cobra.Command {
@@ -21,7 +21,7 @@ func loginCmd(global *globalOptions) *cobra.Command {
 		global: global,
 	}
 	cmd := &cobra.Command{
-		Use:     "login",
+		Use:     "login [command options] REGISTRY",
 		Short:   "Login to a container registry",
 		Long:    "Login to a container registry on a specified server.",
 		RunE:    commandAction(opts.run),
@@ -29,7 +29,7 @@ func loginCmd(global *globalOptions) *cobra.Command {
 	}
 	adjustUsage(cmd)
 	flags := cmd.Flags()
-	optionalBoolFlag(flags, &opts.tlsVerify, "tls-verify", "require HTTPS and verify certificates when accessing the registry")
+	commonFlag.OptionalBoolFlag(flags, &opts.tlsVerify, "tls-verify", "require HTTPS and verify certificates when accessing the registry")
 	flags.AddFlagSet(auth.GetLoginFlags(&opts.loginOpts))
 	return cmd
 }
@@ -39,9 +39,10 @@ func (opts *loginOptions) run(args []string, stdout io.Writer) error {
 	defer cancel()
 	opts.loginOpts.Stdout = stdout
 	opts.loginOpts.Stdin = os.Stdin
+	opts.loginOpts.AcceptRepositories = true
 	sys := opts.global.newSystemContext()
-	if opts.tlsVerify.present {
-		sys.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.tlsVerify.value)
+	if opts.tlsVerify.Present() {
+		sys.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.tlsVerify.Value())
 	}
 	return auth.Login(ctx, sys, &opts.loginOpts, args)
 }
--- a/cmd/skopeo/login_test.go
+++ b/cmd/skopeo/login_test.go
@@ -0,0 +1,18 @@
+package main
+
+import (
+	"path/filepath"
+	"testing"
+)
+
+func TestLogin(t *testing.T) {
+	dir := t.TempDir()
+	authFile := filepath.Join(dir, "auth.json")
+	compatAuthFile := filepath.Join(dir, "config.json")
+
+	// Just a trivial smoke-test exercising one error-handling path.
+	// We can’t test full operation without a registry, unit tests should mostly
+	// exist in c/common/pkg/auth, not here.
+	out, err := runSkopeo("login", "--authfile", authFile, "--compat-auth-file", compatAuthFile, "example.com")
+	assertTestFailed(t, out, err, "options for paths to the credential file and to the Docker-compatible credential file can not be set simultaneously")
+}
--- a/cmd/skopeo/logout.go
+++ b/cmd/skopeo/logout.go
@@ -4,12 +4,15 @@ import (
 	"io"

 	"github.com/containers/common/pkg/auth"
+	commonFlag "github.com/containers/common/pkg/flag"
+	"github.com/containers/image/v5/types"
 	"github.com/spf13/cobra"
 )

 type logoutOptions struct {
 	global     *globalOptions
 	logoutOpts auth.LogoutOptions
+	tlsVerify  commonFlag.OptionalBool
 }

 func logoutCmd(global *globalOptions) *cobra.Command {
@@ -17,19 +20,25 @@ func logoutCmd(global *globalOptions) *cobra.Command {
 		global: global,
 	}
 	cmd := &cobra.Command{
-		Use:     "logout",
+		Use:     "logout [command options] REGISTRY",
 		Short:   "Logout of a container registry",
 		Long:    "Logout of a container registry on a specified server.",
 		RunE:    commandAction(opts.run),
 		Example: `skopeo logout quay.io`,
 	}
 	adjustUsage(cmd)
-	cmd.Flags().AddFlagSet(auth.GetLogoutFlags(&opts.logoutOpts))
+	flags := cmd.Flags()
+	commonFlag.OptionalBoolFlag(flags, &opts.tlsVerify, "tls-verify", "require HTTPS and verify certificates when accessing the registry")
+	flags.AddFlagSet(auth.GetLogoutFlags(&opts.logoutOpts))
 	return cmd
 }

 func (opts *logoutOptions) run(args []string, stdout io.Writer) error {
 	opts.logoutOpts.Stdout = stdout
+	opts.logoutOpts.AcceptRepositories = true
 	sys := opts.global.newSystemContext()
+	if opts.tlsVerify.Present() {
+		sys.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.tlsVerify.Value())
+	}
 	return auth.Logout(sys, &opts.logoutOpts, args)
 }
--- a/cmd/skopeo/logout_test.go
+++ b/cmd/skopeo/logout_test.go
@@ -0,0 +1,25 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestLogout(t *testing.T) {
+	dir := t.TempDir()
+	authFile := filepath.Join(dir, "auth.json")
+	compatAuthFile := filepath.Join(dir, "config.json")
+
+	// Just a trivial smoke-test exercising one error-handling path.
+	// We can’t test full operation without a registry, unit tests should mostly
+	// exist in c/common/pkg/auth, not here.
+	err := os.WriteFile(authFile, []byte("{}"), 0o700)
+	require.NoError(t, err)
+	err = os.WriteFile(compatAuthFile, []byte("{}"), 0o700)
+	require.NoError(t, err)
+	out, err := runSkopeo("logout", "--authfile", authFile, "--compat-auth-file", compatAuthFile, "example.com")
+	assertTestFailed(t, out, err, "options for paths to the credential file and to the Docker-compatible credential file can not be set simultaneously")
+}
--- a/cmd/skopeo/main.go
+++ b/cmd/skopeo/main.go
@@ -3,8 +3,10 @@ package main
 import (
 	"context"
 	"fmt"
+	"strings"
 	"time"

+	commonFlag "github.com/containers/common/pkg/flag"
 	"github.com/containers/image/v5/signature"
 	"github.com/containers/image/v5/types"
 	"github.com/containers/skopeo/version"
@@ -17,18 +19,35 @@ import (
 // and will be populated by the Makefile
 var gitCommit = ""

+var defaultUserAgent = "skopeo/" + version.Version
+
 type globalOptions struct {
-	debug              bool          // Enable debug output
-	tlsVerify          optionalBool  // Require HTTPS and verify certificates (for docker: and docker-daemon:)
-	policyPath         string        // Path to a signature verification policy file
-	insecurePolicy     bool          // Use an "allow everything" signature verification policy
-	registriesDirPath  string        // Path to a "registries.d" registry configuration directory
-	overrideArch       string        // Architecture to use for choosing images, instead of the runtime one
-	overrideOS         string        // OS to use for choosing images, instead of the runtime one
-	overrideVariant    string        // Architecture variant to use for choosing images, instead of the runtime one
-	commandTimeout     time.Duration // Timeout for the command execution
-	registriesConfPath string        // Path to the "registries.conf" file
-	tmpDir             string        // Path to use for big temporary files
+	debug              bool                    // Enable debug output
+	tlsVerify          commonFlag.OptionalBool // Require HTTPS and verify certificates (for docker: and docker-daemon:)
+	policyPath         string                  // Path to a signature verification policy file
+	insecurePolicy     bool                    // Use an "allow everything" signature verification policy
+	registriesDirPath  string                  // Path to a "registries.d" registry configuration directory
+	overrideArch       string                  // Architecture to use for choosing images, instead of the runtime one
+	overrideOS         string                  // OS to use for choosing images, instead of the runtime one
+	overrideVariant    string                  // Architecture variant to use for choosing images, instead of the runtime one
+	commandTimeout     time.Duration           // Timeout for the command execution
+	registriesConfPath string                  // Path to the "registries.conf" file
+	tmpDir             string                  // Path to use for big temporary files
+}
+
+// requireSubcommand returns an error if no sub command is provided
+// This was copied from podman: `github.com/containers/podman/cmd/podman/validate/args.go
+// Some small style changes to match skopeo were applied, but try to apply any
+// bugfixes there first.
+func requireSubcommand(cmd *cobra.Command, args []string) error {
+	if len(args) > 0 {
+		suggestions := cmd.SuggestionsFor(args[0])
+		if len(suggestions) == 0 {
+			return fmt.Errorf("Unrecognized command `%[1]s %[2]s`\nTry '%[1]s --help' for more information", cmd.CommandPath(), args[0])
+		}
+		return fmt.Errorf("Unrecognized command `%[1]s %[2]s`\n\nDid you mean this?\n\t%[3]s\n\nTry '%[1]s --help' for more information", cmd.CommandPath(), args[0], strings.Join(suggestions, "\n\t"))
+	}
+	return fmt.Errorf("Missing command '%[1]s COMMAND'\nTry '%[1]s --help' for more information", cmd.CommandPath())
 }

 // createApp returns a cobra.Command, and the underlying globalOptions object, to be run or tested.
@@ -36,13 +55,20 @@ func createApp() (*cobra.Command, *globalOptions) {
 	opts := globalOptions{}

 	rootCommand := &cobra.Command{
-		Use:  "skopeo",
-		Long: "Various operations with container images and container image registries",
-		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			return opts.before(cmd)
-		},
-		SilenceUsage:  true,
-		SilenceErrors: true,
+		Use:               "skopeo",
+		Long:              "Various operations with container images and container image registries",
+		RunE:              requireSubcommand,
+		PersistentPreRunE: opts.before,
+		SilenceUsage:      true,
+		SilenceErrors:     true,
+		// Hide the completion command which is provided by cobra
+		CompletionOptions: cobra.CompletionOptions{HiddenDefaultCmd: true},
+		// This is documented to parse "local" (non-PersistentFlags) flags of parent commands before
+		// running subcommands and handling their options. We don't really run into such cases,
+		// because all of our flags on rootCommand are in PersistentFlags, except for the deprecated --tls-verify;
+		// in that case we need TraverseChildren so that we can distinguish between
+		// (skopeo --tls-verify inspect) (causes a warning) and (skopeo inspect --tls-verify) (no warning).
+		TraverseChildren: true,
 	}
 	if gitCommit != "" {
 		rootCommand.Version = fmt.Sprintf("%s commit: %s", version.Version, gitCommit)
@@ -53,8 +79,6 @@ func createApp() (*cobra.Command, *globalOptions) {
 	var dummyVersion bool
 	rootCommand.Flags().BoolVarP(&dummyVersion, "version", "v", false, "Version for Skopeo")
 	rootCommand.PersistentFlags().BoolVar(&opts.debug, "debug", false, "enable debug output")
-	flag := optionalBoolFlag(rootCommand.PersistentFlags(), &opts.tlsVerify, "tls-verify", "Require HTTPS and verify certificates when accessing the registry")
-	flag.Hidden = true
 	rootCommand.PersistentFlags().StringVar(&opts.policyPath, "policy", "", "Path to a trust policy file")
 	rootCommand.PersistentFlags().BoolVar(&opts.insecurePolicy, "insecure-policy", false, "run the tool without any policy check")
 	rootCommand.PersistentFlags().StringVar(&opts.registriesDirPath, "registries.d", "", "use registry configuration files in `DIR` (e.g. for container signature storage)")
@@ -67,14 +91,18 @@ func createApp() (*cobra.Command, *globalOptions) {
 		logrus.Fatal("unable to mark registries-conf flag as hidden")
 	}
 	rootCommand.PersistentFlags().StringVar(&opts.tmpDir, "tmpdir", "", "directory used to store temporary files")
+	flag := commonFlag.OptionalBoolFlag(rootCommand.Flags(), &opts.tlsVerify, "tls-verify", "Require HTTPS and verify certificates when accessing the registry")
+	flag.Hidden = true
 	rootCommand.AddCommand(
 		copyCmd(&opts),
 		deleteCmd(&opts),
+		generateSigstoreKeyCmd(),
 		inspectCmd(&opts),
 		layersCmd(&opts),
 		loginCmd(&opts),
 		logoutCmd(&opts),
 		manifestDigestCmd(),
+		proxyCmd(&opts),
 		syncCmd(&opts),
 		standaloneSignCmd(),
 		standaloneVerifyCmd(),
@@ -85,11 +113,11 @@ func createApp() (*cobra.Command, *globalOptions) {
 }

 // before is run by the cli package for any command, before running the command-specific handler.
-func (opts *globalOptions) before(cmd *cobra.Command) error {
+func (opts *globalOptions) before(cmd *cobra.Command, args []string) error {
 	if opts.debug {
 		logrus.SetLevel(logrus.DebugLevel)
 	}
-	if opts.tlsVerify.present {
+	if opts.tlsVerify.Present() {
 		logrus.Warn("'--tls-verify' is deprecated, please set this on the specific subcommand")
 	}
 	return nil
@@ -101,6 +129,10 @@ func main() {
 	}
 	rootCmd, _ := createApp()
 	if err := rootCmd.Execute(); err != nil {
+		if isNotFoundImageError(err) {
+			logrus.StandardLogger().Log(logrus.FatalLevel, err)
+			logrus.Exit(2)
+		}
 		logrus.Fatal(err)
 	}
 }
@@ -143,10 +175,11 @@ func (opts *globalOptions) newSystemContext() *types.SystemContext {
 		VariantChoice:            opts.overrideVariant,
 		SystemRegistriesConfPath: opts.registriesConfPath,
 		BigFilesTemporaryDir:     opts.tmpDir,
+		DockerRegistryUserAgent:  defaultUserAgent,
 	}
 	// DEPRECATED: We support this for backward compatibility, but override it if a per-image flag is provided.
-	if opts.tlsVerify.present {
-		ctx.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.tlsVerify.value)
+	if opts.tlsVerify.Present() {
+		ctx.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.tlsVerify.Value())
 	}
 	return ctx
 }
--- a/cmd/skopeo/main_test.go
+++ b/cmd/skopeo/main_test.go
@@ -23,7 +23,10 @@ func TestGlobalOptionsNewSystemContext(t *testing.T) {
 	// Default state
 	opts, _ := fakeGlobalOptions(t, []string{})
 	res := opts.newSystemContext()
-	assert.Equal(t, &types.SystemContext{}, res)
+	assert.Equal(t, &types.SystemContext{
+		// User-Agent is set by default.
+		DockerRegistryUserAgent: defaultUserAgent,
+	}, res)
 	// Set everything to non-default values.
 	opts, _ = fakeGlobalOptions(t, []string{
 		"--registries.d", "/srv/registries.d",
@@ -43,5 +46,6 @@ func TestGlobalOptionsNewSystemContext(t *testing.T) {
 		BigFilesTemporaryDir:        "/srv",
 		SystemRegistriesConfPath:    "/srv/registries.conf",
 		DockerInsecureSkipTLSVerify: types.OptionalBoolTrue,
+		DockerRegistryUserAgent:     defaultUserAgent,
 	}, res)
 }
--- a/cmd/skopeo/manifest.go
+++ b/cmd/skopeo/manifest.go
@@ -4,7 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
+	"os"

 	"github.com/containers/image/v5/manifest"
 	"github.com/spf13/cobra"
@@ -16,7 +16,7 @@ type manifestDigestOptions struct {
 func manifestDigestCmd() *cobra.Command {
 	var opts manifestDigestOptions
 	cmd := &cobra.Command{
-		Use:     "manifest-digest MANIFEST",
+		Use:     "manifest-digest MANIFEST-FILE",
 		Short:   "Compute a manifest digest of a file",
 		RunE:    commandAction(opts.run),
 		Example: "skopeo manifest-digest manifest.json",
@@ -31,7 +31,7 @@ func (opts *manifestDigestOptions) run(args []string, stdout io.Writer) error {
 	}
 	manifestPath := args[0]

-	man, err := ioutil.ReadFile(manifestPath)
+	man, err := os.ReadFile(manifestPath)
 	if err != nil {
 		return fmt.Errorf("Error reading manifest from %s: %v", manifestPath, err)
 	}
--- a/cmd/skopeo/proxy.go
+++ b/cmd/skopeo/proxy.go
@@ -0,0 +1,860 @@
+//go:build !windows
+// +build !windows
+
+package main
+
+/*
+  This code is currently only intended to be used by ostree
+  to fetch content via containers.  The API is subject
+  to change.  A goal however is to stabilize the API
+  eventually as a full out-of-process interface to the
+  core containers/image library functionality.
+
+  To use this command, in a parent process create a
+  `socketpair()` of type `SOCK_SEQPACKET`.  Fork
+  off this command, and pass one half of the socket
+  pair to the child.  Providing it on stdin (fd 0)
+  is the expected default.
+
+  The protocol is JSON for the control layer,
+  and  a read side of a `pipe()` passed for large data.
+
+ Base JSON protocol:
+
+ request: { method: "MethodName": args: [arguments] }
+ reply: { success: bool, value: JSVAL, pipeid: number, error: string }
+
+ For any non-metadata i.e. payload data from `GetManifest`
+ and `GetBlob` the server will pass back the read half of a `pipe(2)` via FD passing,
+ along with a `pipeid` integer.
+
+ The expected flow looks like this:
+
+  - Initialize
+    And validate the returned protocol version versus
+	what your client supports.
+  - OpenImage docker://quay.io/someorg/example:latest
+    (returns an imageid)
+  - GetManifest imageid (and associated <pipeid>)
+  (Streaming read data from pipe)
+  - FinishPipe <pipeid>
+  - GetBlob imageid sha256:...
+  (Streaming read data from pipe)
+  - FinishPipe <pipeid>
+  - GetBlob imageid sha256:...
+  (Streaming read data from pipe)
+  - FinishPipe <pipeid>
+  - CloseImage imageid
+
+ You may interleave invocations of these methods, e.g. one
+ can also invoke `OpenImage` multiple times, as well as
+ starting multiple GetBlob requests before calling `FinishPipe`
+ on them.  The server will stream data into the pipefd
+ until `FinishPipe` is invoked.
+
+ Note that the pipe will not be closed by the server until
+ the client has invoked `FinishPipe`.  This is to ensure
+ that the client checks for errors.  For example, `GetBlob`
+ performs digest (e.g. sha256) verification and this must
+ be checked after all data has been written.
+*/
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"sync"
+	"syscall"
+
+	"github.com/containers/image/v5/image"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/pkg/blobinfocache"
+	"github.com/containers/image/v5/transports"
+	"github.com/containers/image/v5/transports/alltransports"
+	"github.com/containers/image/v5/types"
+	"github.com/opencontainers/go-digest"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+// protocolVersion is semantic version of the protocol used by this proxy.
+// The first version of the protocol has major version 0.2 to signify a
+// departure from the original code which used HTTP.
+//
+// 0.2.1: Initial version
+// 0.2.2: Added support for fetching image configuration as OCI
+// 0.2.3: Added GetFullConfig
+// 0.2.4: Added OpenImageOptional
+// 0.2.5: Added LayerInfoJSON
+// 0.2.6: Policy Verification before pulling OCI
+const protocolVersion = "0.2.6"
+
+// maxMsgSize is the current limit on a packet size.
+// Note that all non-metadata (i.e. payload data) is sent over a pipe.
+const maxMsgSize = 32 * 1024
+
+// maxJSONFloat is ECMA Number.MAX_SAFE_INTEGER
+// https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/MAX_SAFE_INTEGER
+// We hard error if the input JSON numbers we expect to be
+// integers are above this.
+const maxJSONFloat = float64(uint64(1)<<53 - 1)
+
+// sentinelImageID represents "image not found" on the wire
+const sentinelImageID = 0
+
+// request is the JSON serialization of a function call
+type request struct {
+	// Method is the name of the function
+	Method string `json:"method"`
+	// Args is the arguments (parsed inside the function)
+	Args []any `json:"args"`
+}
+
+// reply is serialized to JSON as the return value from a function call.
+type reply struct {
+	// Success is true if and only if the call succeeded.
+	Success bool `json:"success"`
+	// Value is an arbitrary value (or values, as array/map) returned from the call.
+	Value any `json:"value"`
+	// PipeID is an index into open pipes, and should be passed to FinishPipe
+	PipeID uint32 `json:"pipeid"`
+	// Error should be non-empty if Success == false
+	Error string `json:"error"`
+}
+
+// replyBuf is our internal deserialization of reply plus optional fd
+type replyBuf struct {
+	// value will be converted to a reply Value
+	value any
+	// fd is the read half of a pipe, passed back to the client
+	fd *os.File
+	// pipeid will be provided to the client as PipeID, an index into our open pipes
+	pipeid uint32
+}
+
+// activePipe is an open pipe to the client.
+// It contains an error value
+type activePipe struct {
+	// w is the write half of the pipe
+	w *os.File
+	// wg is completed when our worker goroutine is done
+	wg sync.WaitGroup
+	// err may be set in our worker goroutine
+	err error
+}
+
+// openImage is an opened image reference
+type openImage struct {
+	// id is an opaque integer handle
+	id        uint64
+	src       types.ImageSource
+	cachedimg types.Image
+}
+
+// proxyHandler is the state associated with our socket.
+type proxyHandler struct {
+	// lock protects everything else in this structure.
+	lock sync.Mutex
+	// opts is CLI options
+	opts   *proxyOptions
+	sysctx *types.SystemContext
+	cache  types.BlobInfoCache
+
+	// imageSerial is a counter for open images
+	imageSerial uint64
+	// images holds our opened images
+	images map[uint64]*openImage
+	// activePipes maps from "pipeid" to a pipe + goroutine pair
+	activePipes map[uint32]*activePipe
+}
+
+// convertedLayerInfo is the reduced form of the OCI type BlobInfo
+// Used in the return value of GetLayerInfo
+type convertedLayerInfo struct {
+	Digest    digest.Digest `json:"digest"`
+	Size      int64         `json:"size"`
+	MediaType string        `json:"media_type"`
+}
+
+// Initialize performs one-time initialization, and returns the protocol version
+func (h *proxyHandler) Initialize(args []any) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+
+	var ret replyBuf
+
+	if len(args) != 0 {
+		return ret, fmt.Errorf("invalid request, expecting zero arguments")
+	}
+
+	if h.sysctx != nil {
+		return ret, fmt.Errorf("already initialized")
+	}
+
+	sysctx, err := h.opts.imageOpts.newSystemContext()
+	if err != nil {
+		return ret, err
+	}
+	h.sysctx = sysctx
+	h.cache = blobinfocache.DefaultCache(sysctx)
+
+	r := replyBuf{
+		value: protocolVersion,
+	}
+	return r, nil
+}
+
+// OpenImage accepts a string image reference i.e. TRANSPORT:REF - like `skopeo copy`.
+// The return value is an opaque integer handle.
+func (h *proxyHandler) OpenImage(args []any) (replyBuf, error) {
+	return h.openImageImpl(args, false)
+}
+
+func (h *proxyHandler) openImageImpl(args []any, allowNotFound bool) (retReplyBuf replyBuf, retErr error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+	var ret replyBuf
+
+	if h.sysctx == nil {
+		return ret, fmt.Errorf("client error: must invoke Initialize")
+	}
+	if len(args) != 1 {
+		return ret, fmt.Errorf("invalid request, expecting one argument")
+	}
+	imageref, ok := args[0].(string)
+	if !ok {
+		return ret, fmt.Errorf("expecting string imageref, not %T", args[0])
+	}
+
+	imgRef, err := alltransports.ParseImageName(imageref)
+	if err != nil {
+		return ret, err
+	}
+	imgsrc, err := imgRef.NewImageSource(context.Background(), h.sysctx)
+	if err != nil {
+		if allowNotFound && isNotFoundImageError(err) {
+			ret.value = sentinelImageID
+			return ret, nil
+		}
+		return ret, err
+	}
+
+	policyContext, err := h.opts.global.getPolicyContext()
+	if err != nil {
+		return ret, err
+	}
+	defer func() {
+		if err := policyContext.Destroy(); err != nil {
+			retErr = noteCloseFailure(retErr, "tearing down policy context", err)
+		}
+	}()
+
+	unparsedTopLevel := image.UnparsedInstance(imgsrc, nil)
+	allowed, err := policyContext.IsRunningImageAllowed(context.Background(), unparsedTopLevel)
+	if err != nil {
+		return ret, err
+	}
+	if !allowed {
+		return ret, fmt.Errorf("internal inconsistency: policy verification failed without returning an error")
+	}
+
+	// Note that we never return zero as an imageid; this code doesn't yet
+	// handle overflow though.
+	h.imageSerial++
+	openimg := &openImage{
+		id:  h.imageSerial,
+		src: imgsrc,
+	}
+	h.images[openimg.id] = openimg
+	ret.value = openimg.id
+
+	return ret, nil
+}
+
+// OpenImage accepts a string image reference i.e. TRANSPORT:REF - like `skopeo copy`.
+// The return value is an opaque integer handle.  If the image does not exist, zero
+// is returned.
+func (h *proxyHandler) OpenImageOptional(args []any) (replyBuf, error) {
+	return h.openImageImpl(args, true)
+}
+
+func (h *proxyHandler) CloseImage(args []any) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+	var ret replyBuf
+
+	if h.sysctx == nil {
+		return ret, fmt.Errorf("client error: must invoke Initialize")
+	}
+	if len(args) != 1 {
+		return ret, fmt.Errorf("invalid request, expecting one argument")
+	}
+	imgref, err := h.parseImageFromID(args[0])
+	if err != nil {
+		return ret, err
+	}
+	imgref.src.Close()
+	delete(h.images, imgref.id)
+
+	return ret, nil
+}
+
+// parseUint64 validates that a number fits inside a JavaScript safe integer
+func parseUint64(v any) (uint64, error) {
+	f, ok := v.(float64)
+	if !ok {
+		return 0, fmt.Errorf("expecting numeric, not %T", v)
+	}
+	if f > maxJSONFloat {
+		return 0, fmt.Errorf("out of range integer for numeric %f", f)
+	}
+	return uint64(f), nil
+}
+
+func (h *proxyHandler) parseImageFromID(v any) (*openImage, error) {
+	imgid, err := parseUint64(v)
+	if err != nil {
+		return nil, err
+	}
+	if imgid == sentinelImageID {
+		return nil, fmt.Errorf("Invalid imageid value of zero")
+	}
+	imgref, ok := h.images[imgid]
+	if !ok {
+		return nil, fmt.Errorf("no image %v", imgid)
+	}
+	return imgref, nil
+}
+
+func (h *proxyHandler) allocPipe() (*os.File, *activePipe, error) {
+	piper, pipew, err := os.Pipe()
+	if err != nil {
+		return nil, nil, err
+	}
+	f := activePipe{
+		w: pipew,
+	}
+	h.activePipes[uint32(pipew.Fd())] = &f
+	f.wg.Add(1)
+	return piper, &f, nil
+}
+
+// returnBytes generates a return pipe() from a byte array
+// In the future it might be nicer to return this via memfd_create()
+func (h *proxyHandler) returnBytes(retval any, buf []byte) (replyBuf, error) {
+	var ret replyBuf
+	piper, f, err := h.allocPipe()
+	if err != nil {
+		return ret, err
+	}
+
+	go func() {
+		// Signal completion when we return
+		defer f.wg.Done()
+		_, err = io.Copy(f.w, bytes.NewReader(buf))
+		if err != nil {
+			f.err = err
+		}
+	}()
+
+	ret.value = retval
+	ret.fd = piper
+	ret.pipeid = uint32(f.w.Fd())
+	return ret, nil
+}
+
+// cacheTargetManifest is invoked when GetManifest or GetConfig is invoked
+// the first time for a given image.  If the requested image is a manifest
+// list, this function resolves it to the image matching the calling process'
+// operating system and architecture.
+//
+// TODO: Add GetRawManifest or so that exposes manifest lists
+func (h *proxyHandler) cacheTargetManifest(img *openImage) error {
+	ctx := context.Background()
+	if img.cachedimg != nil {
+		return nil
+	}
+	unparsedToplevel := image.UnparsedInstance(img.src, nil)
+	mfest, manifestType, err := unparsedToplevel.Manifest(ctx)
+	if err != nil {
+		return err
+	}
+	var target *image.UnparsedImage
+	if manifest.MIMETypeIsMultiImage(manifestType) {
+		manifestList, err := manifest.ListFromBlob(mfest, manifestType)
+		if err != nil {
+			return err
+		}
+		instanceDigest, err := manifestList.ChooseInstance(h.sysctx)
+		if err != nil {
+			return err
+		}
+		target = image.UnparsedInstance(img.src, &instanceDigest)
+	} else {
+		target = unparsedToplevel
+	}
+	cachedimg, err := image.FromUnparsedImage(ctx, h.sysctx, target)
+	if err != nil {
+		return err
+	}
+	img.cachedimg = cachedimg
+	return nil
+}
+
+// GetManifest returns a copy of the manifest, converted to OCI format, along with the original digest.
+// Manifest lists are resolved to the current operating system and architecture.
+func (h *proxyHandler) GetManifest(args []any) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+
+	var ret replyBuf
+
+	if h.sysctx == nil {
+		return ret, fmt.Errorf("client error: must invoke Initialize")
+	}
+	if len(args) != 1 {
+		return ret, fmt.Errorf("invalid request, expecting one argument")
+	}
+	imgref, err := h.parseImageFromID(args[0])
+	if err != nil {
+		return ret, err
+	}
+
+	err = h.cacheTargetManifest(imgref)
+	if err != nil {
+		return ret, err
+	}
+	img := imgref.cachedimg
+
+	ctx := context.Background()
+	rawManifest, manifestType, err := img.Manifest(ctx)
+	if err != nil {
+		return ret, err
+	}
+
+	// We only support OCI and docker2schema2.  We know docker2schema2 can be easily+cheaply
+	// converted into OCI, so consumers only need to see OCI.
+	switch manifestType {
+	case imgspecv1.MediaTypeImageManifest, manifest.DockerV2Schema2MediaType:
+		break
+	// Explicitly reject e.g. docker schema 1 type with a "legacy" note
+	case manifest.DockerV2Schema1MediaType, manifest.DockerV2Schema1SignedMediaType:
+		return ret, fmt.Errorf("unsupported legacy manifest MIME type: %s", manifestType)
+	default:
+		return ret, fmt.Errorf("unsupported manifest MIME type: %s", manifestType)
+	}
+
+	// We always return the original digest, as that's what clients need to do pull-by-digest
+	// and in general identify the image.
+	digest, err := manifest.Digest(rawManifest)
+	if err != nil {
+		return ret, err
+	}
+	var serialized []byte
+	// But, we convert to OCI format on the wire if it's not already.  The idea here is that by reusing the containers/image
+	// stack, clients to this proxy can pretend the world is OCI only, and not need to care about e.g.
+	// docker schema and MIME types.
+	if manifestType != imgspecv1.MediaTypeImageManifest {
+		manifestUpdates := types.ManifestUpdateOptions{ManifestMIMEType: imgspecv1.MediaTypeImageManifest}
+		ociImage, err := img.UpdatedImage(ctx, manifestUpdates)
+		if err != nil {
+			return ret, err
+		}
+
+		ociSerialized, _, err := ociImage.Manifest(ctx)
+		if err != nil {
+			return ret, err
+		}
+		serialized = ociSerialized
+	} else {
+		serialized = rawManifest
+	}
+	return h.returnBytes(digest, serialized)
+}
+
+// GetFullConfig returns a copy of the image configuration, converted to OCI format.
+// https://github.com/opencontainers/image-spec/blob/main/config.md
+func (h *proxyHandler) GetFullConfig(args []any) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+
+	var ret replyBuf
+
+	if h.sysctx == nil {
+		return ret, fmt.Errorf("client error: must invoke Initialize")
+	}
+	if len(args) != 1 {
+		return ret, fmt.Errorf("invalid request, expecting: [imgid]")
+	}
+	imgref, err := h.parseImageFromID(args[0])
+	if err != nil {
+		return ret, err
+	}
+	err = h.cacheTargetManifest(imgref)
+	if err != nil {
+		return ret, err
+	}
+	img := imgref.cachedimg
+
+	ctx := context.TODO()
+	config, err := img.OCIConfig(ctx)
+	if err != nil {
+		return ret, err
+	}
+	serialized, err := json.Marshal(&config)
+	if err != nil {
+		return ret, err
+	}
+	return h.returnBytes(nil, serialized)
+}
+
+// GetConfig returns a copy of the container runtime configuration, converted to OCI format.
+// Note that due to a historical mistake, this returns not the full image configuration,
+// but just the container runtime configuration.  You should use GetFullConfig instead.
+func (h *proxyHandler) GetConfig(args []any) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+
+	var ret replyBuf
+
+	if h.sysctx == nil {
+		return ret, fmt.Errorf("client error: must invoke Initialize")
+	}
+	if len(args) != 1 {
+		return ret, fmt.Errorf("invalid request, expecting: [imgid]")
+	}
+	imgref, err := h.parseImageFromID(args[0])
+	if err != nil {
+		return ret, err
+	}
+	err = h.cacheTargetManifest(imgref)
+	if err != nil {
+		return ret, err
+	}
+	img := imgref.cachedimg
+
+	ctx := context.TODO()
+	config, err := img.OCIConfig(ctx)
+	if err != nil {
+		return ret, err
+	}
+	serialized, err := json.Marshal(&config.Config)
+	if err != nil {
+		return ret, err
+	}
+	return h.returnBytes(nil, serialized)
+}
+
+// GetBlob fetches a blob, performing digest verification.
+func (h *proxyHandler) GetBlob(args []any) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+
+	var ret replyBuf
+
+	if h.sysctx == nil {
+		return ret, fmt.Errorf("client error: must invoke Initialize")
+	}
+	if len(args) != 3 {
+		return ret, fmt.Errorf("found %d args, expecting (imgid, digest, size)", len(args))
+	}
+	imgref, err := h.parseImageFromID(args[0])
+	if err != nil {
+		return ret, err
+	}
+	digestStr, ok := args[1].(string)
+	if !ok {
+		return ret, fmt.Errorf("expecting string blobid")
+	}
+	size, err := parseUint64(args[2])
+	if err != nil {
+		return ret, err
+	}
+
+	ctx := context.TODO()
+	d, err := digest.Parse(digestStr)
+	if err != nil {
+		return ret, err
+	}
+	blobr, blobSize, err := imgref.src.GetBlob(ctx, types.BlobInfo{Digest: d, Size: int64(size)}, h.cache)
+	if err != nil {
+		return ret, err
+	}
+
+	piper, f, err := h.allocPipe()
+	if err != nil {
+		blobr.Close()
+		return ret, err
+	}
+	go func() {
+		// Signal completion when we return
+		defer blobr.Close()
+		defer f.wg.Done()
+		verifier := d.Verifier()
+		tr := io.TeeReader(blobr, verifier)
+		n, err := io.Copy(f.w, tr)
+		if err != nil {
+			f.err = err
+			return
+		}
+		if n != int64(size) {
+			f.err = fmt.Errorf("expected %d bytes in blob, got %d", size, n)
+		}
+		if !verifier.Verified() {
+			f.err = fmt.Errorf("corrupted blob, expecting %s", d.String())
+		}
+	}()
+
+	ret.value = blobSize
+	ret.fd = piper
+	ret.pipeid = uint32(f.w.Fd())
+	return ret, nil
+}
+
+// GetLayerInfo returns data about the layers of an image, useful for reading the layer contents.
+//
+// This needs to be called since the data returned by GetManifest() does not allow to correctly
+// calling GetBlob() for the containers-storage: transport (which doesn’t store the original compressed
+// representations referenced in the manifest).
+func (h *proxyHandler) GetLayerInfo(args []any) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+
+	var ret replyBuf
+
+	if h.sysctx == nil {
+		return ret, fmt.Errorf("client error: must invoke Initialize")
+	}
+
+	if len(args) != 1 {
+		return ret, fmt.Errorf("found %d args, expecting (imgid)", len(args))
+	}
+
+	imgref, err := h.parseImageFromID(args[0])
+	if err != nil {
+		return ret, err
+	}
+
+	ctx := context.TODO()
+
+	err = h.cacheTargetManifest(imgref)
+	if err != nil {
+		return ret, err
+	}
+	img := imgref.cachedimg
+
+	layerInfos, err := img.LayerInfosForCopy(ctx)
+	if err != nil {
+		return ret, err
+	}
+
+	if layerInfos == nil {
+		layerInfos = img.LayerInfos()
+	}
+
+	layers := make([]convertedLayerInfo, 0, len(layerInfos))
+	for _, layer := range layerInfos {
+		layers = append(layers, convertedLayerInfo{layer.Digest, layer.Size, layer.MediaType})
+	}
+
+	ret.value = layers
+	return ret, nil
+}
+
+// FinishPipe waits for the worker goroutine to finish, and closes the write side of the pipe.
+func (h *proxyHandler) FinishPipe(args []any) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+
+	var ret replyBuf
+
+	pipeidv, err := parseUint64(args[0])
+	if err != nil {
+		return ret, err
+	}
+	pipeid := uint32(pipeidv)
+
+	f, ok := h.activePipes[pipeid]
+	if !ok {
+		return ret, fmt.Errorf("finishpipe: no active pipe %d", pipeid)
+	}
+
+	// Wait for the goroutine to complete
+	f.wg.Wait()
+	logrus.Debug("Completed pipe goroutine")
+	// And only now do we close the write half; this forces the client to call this API
+	f.w.Close()
+	// Propagate any errors from the goroutine worker
+	err = f.err
+	delete(h.activePipes, pipeid)
+	return ret, err
+}
+
+// close releases all resources associated with this proxy backend
+func (h *proxyHandler) close() {
+	for _, image := range h.images {
+		err := image.src.Close()
+		if err != nil {
+			// This shouldn't be fatal
+			logrus.Warnf("Failed to close image %s: %v", transports.ImageName(image.cachedimg.Reference()), err)
+		}
+	}
+}
+
+// send writes a reply buffer to the socket
+func (buf replyBuf) send(conn *net.UnixConn, err error) error {
+	logrus.Debugf("Sending reply: err=%v value=%v pipeid=%v", err, buf.value, buf.pipeid)
+	replyToSerialize := reply{
+		Success: err == nil,
+		Value:   buf.value,
+		PipeID:  buf.pipeid,
+	}
+	if err != nil {
+		replyToSerialize.Error = err.Error()
+	}
+	serializedReply, err := json.Marshal(&replyToSerialize)
+	if err != nil {
+		return err
+	}
+	// We took ownership of the FD - close it when we're done.
+	defer func() {
+		if buf.fd != nil {
+			buf.fd.Close()
+		}
+	}()
+	// Copy the FD number to the socket ancillary buffer
+	fds := make([]int, 0)
+	if buf.fd != nil {
+		fds = append(fds, int(buf.fd.Fd()))
+	}
+	oob := syscall.UnixRights(fds...)
+	n, oobn, err := conn.WriteMsgUnix(serializedReply, oob, nil)
+	if err != nil {
+		return err
+	}
+	// Validate that we sent the full packet
+	if n != len(serializedReply) || oobn != len(oob) {
+		return io.ErrShortWrite
+	}
+	return nil
+}
+
+type proxyOptions struct {
+	global    *globalOptions
+	imageOpts *imageOptions
+	sockFd    int
+}
+
+func proxyCmd(global *globalOptions) *cobra.Command {
+	sharedFlags, sharedOpts := sharedImageFlags()
+	imageFlags, imageOpts := imageFlags(global, sharedOpts, nil, "", "")
+	opts := proxyOptions{global: global, imageOpts: imageOpts}
+	cmd := &cobra.Command{
+		Use:   "experimental-image-proxy [command options] IMAGE",
+		Short: "Interactive proxy for fetching container images (EXPERIMENTAL)",
+		Long:  `Run skopeo as a proxy, supporting HTTP requests to fetch manifests and blobs.`,
+		RunE:  commandAction(opts.run),
+		Args:  cobra.ExactArgs(0),
+		// Not stabilized yet
+		Hidden:  true,
+		Example: `skopeo experimental-image-proxy --sockfd 3`,
+	}
+	adjustUsage(cmd)
+	flags := cmd.Flags()
+	flags.AddFlagSet(&sharedFlags)
+	flags.AddFlagSet(&imageFlags)
+	flags.IntVar(&opts.sockFd, "sockfd", 0, "Serve on opened socket pair (default 0/stdin)")
+	return cmd
+}
+
+// processRequest dispatches a remote request.
+// replyBuf is the result of the invocation.
+// terminate should be true if processing of requests should halt.
+func (h *proxyHandler) processRequest(readBytes []byte) (rb replyBuf, terminate bool, err error) {
+	var req request
+
+	// Parse the request JSON
+	if err = json.Unmarshal(readBytes, &req); err != nil {
+		err = fmt.Errorf("invalid request: %v", err)
+		return
+	}
+	logrus.Debugf("Executing method %s", req.Method)
+
+	// Dispatch on the method
+	switch req.Method {
+	case "Initialize":
+		rb, err = h.Initialize(req.Args)
+	case "OpenImage":
+		rb, err = h.OpenImage(req.Args)
+	case "OpenImageOptional":
+		rb, err = h.OpenImageOptional(req.Args)
+	case "CloseImage":
+		rb, err = h.CloseImage(req.Args)
+	case "GetManifest":
+		rb, err = h.GetManifest(req.Args)
+	case "GetConfig":
+		rb, err = h.GetConfig(req.Args)
+	case "GetFullConfig":
+		rb, err = h.GetFullConfig(req.Args)
+	case "GetBlob":
+		rb, err = h.GetBlob(req.Args)
+	case "GetLayerInfo":
+		rb, err = h.GetLayerInfo(req.Args)
+	case "FinishPipe":
+		rb, err = h.FinishPipe(req.Args)
+	case "Shutdown":
+		terminate = true
+	// NOTE: If you add a method here, you should very likely be bumping the
+	// const protocolVersion above.
+	default:
+		err = fmt.Errorf("unknown method: %s", req.Method)
+	}
+	return
+}
+
+// Implementation of podman experimental-image-proxy
+func (opts *proxyOptions) run(args []string, stdout io.Writer) error {
+	handler := &proxyHandler{
+		opts:        opts,
+		images:      make(map[uint64]*openImage),
+		activePipes: make(map[uint32]*activePipe),
+	}
+	defer handler.close()
+
+	// Convert the socket FD passed by client into a net.FileConn
+	fd := os.NewFile(uintptr(opts.sockFd), "sock")
+	fconn, err := net.FileConn(fd)
+	if err != nil {
+		return err
+	}
+	conn := fconn.(*net.UnixConn)
+
+	// Allocate a buffer to copy the packet into
+	buf := make([]byte, maxMsgSize)
+	for {
+		n, _, err := conn.ReadFrom(buf)
+		if err != nil {
+			if errors.Is(err, io.EOF) {
+				return nil
+			}
+			return fmt.Errorf("reading socket: %v", err)
+		}
+		readbuf := buf[0:n]
+
+		rb, terminate, err := handler.processRequest(readbuf)
+		if terminate {
+			logrus.Debug("terminating")
+			return nil
+		}
+
+		if err := rb.send(conn, err); err != nil {
+			return fmt.Errorf("writing to socket: %w", err)
+		}
+	}
+}
--- a/cmd/skopeo/proxy_windows.go
+++ b/cmd/skopeo/proxy_windows.go
@@ -0,0 +1,30 @@
+//go:build windows
+// +build windows
+
+package main
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/spf13/cobra"
+)
+
+type proxyOptions struct {
+	global *globalOptions
+}
+
+func proxyCmd(global *globalOptions) *cobra.Command {
+	opts := proxyOptions{global: global}
+	cmd := &cobra.Command{
+		RunE: commandAction(opts.run),
+		Args: cobra.ExactArgs(0),
+		// Not stabilized yet
+		Hidden: true,
+	}
+	return cmd
+}
+
+func (opts *proxyOptions) run(args []string, stdout io.Writer) error {
+	return fmt.Errorf("This command is not supported on Windows")
+}
--- a/cmd/skopeo/signing.go
+++ b/cmd/skopeo/signing.go
@@ -5,26 +5,30 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
+	"os"
+	"strings"

+	"github.com/containers/image/v5/pkg/cli"
 	"github.com/containers/image/v5/signature"
 	"github.com/spf13/cobra"
 )

 type standaloneSignOptions struct {
-	output string // Output file path
+	output         string // Output file path
+	passphraseFile string // Path pointing to a passphrase file when signing
 }

 func standaloneSignCmd() *cobra.Command {
 	opts := standaloneSignOptions{}
 	cmd := &cobra.Command{
-		Use:   "standalone-sign [command options] MANIFEST DOCKER-REFERENCE KEY-FINGERPRINT",
+		Use:   "standalone-sign [command options] MANIFEST DOCKER-REFERENCE KEY-FINGERPRINT --output|-o SIGNATURE",
 		Short: "Create a signature using local files",
 		RunE:  commandAction(opts.run),
 	}
 	adjustUsage(cmd)
 	flags := cmd.Flags()
 	flags.StringVarP(&opts.output, "output", "o", "", "output the signature to `SIGNATURE`")
+	flags.StringVarP(&opts.passphraseFile, "passphrase-file", "", "", "file that contains a passphrase for the --sign-by key")
 	return cmd
 }

@@ -36,37 +40,49 @@ func (opts *standaloneSignOptions) run(args []string, stdout io.Writer) error {
 	dockerReference := args[1]
 	fingerprint := args[2]

-	manifest, err := ioutil.ReadFile(manifestPath)
+	manifest, err := os.ReadFile(manifestPath)
 	if err != nil {
-		return fmt.Errorf("Error reading %s: %v", manifestPath, err)
+		return fmt.Errorf("Error reading %s: %w", manifestPath, err)
 	}

 	mech, err := signature.NewGPGSigningMechanism()
 	if err != nil {
-		return fmt.Errorf("Error initializing GPG: %v", err)
+		return fmt.Errorf("Error initializing GPG: %w", err)
 	}
 	defer mech.Close()
-	signature, err := signature.SignDockerManifest(manifest, dockerReference, mech, fingerprint)
+
+	passphrase, err := cli.ReadPassphraseFile(opts.passphraseFile)
 	if err != nil {
-		return fmt.Errorf("Error creating signature: %v", err)
+		return err
 	}

-	if err := ioutil.WriteFile(opts.output, signature, 0644); err != nil {
-		return fmt.Errorf("Error writing signature to %s: %v", opts.output, err)
+	signature, err := signature.SignDockerManifestWithOptions(manifest, dockerReference, mech, fingerprint, &signature.SignOptions{Passphrase: passphrase})
+	if err != nil {
+		return fmt.Errorf("Error creating signature: %w", err)
+	}
+
+	if err := os.WriteFile(opts.output, signature, 0644); err != nil {
+		return fmt.Errorf("Error writing signature to %s: %w", opts.output, err)
 	}
 	return nil
 }

 type standaloneVerifyOptions struct {
+	publicKeyFile string
 }

 func standaloneVerifyCmd() *cobra.Command {
 	opts := standaloneVerifyOptions{}
 	cmd := &cobra.Command{
-		Use:   "standalone-verify MANIFEST DOCKER-REFERENCE KEY-FINGERPRINT SIGNATURE",
+		Use:   "standalone-verify MANIFEST DOCKER-REFERENCE KEY-FINGERPRINTS SIGNATURE",
 		Short: "Verify a signature using local files",
-		RunE:  commandAction(opts.run),
+		Long: `Verify a signature using local files
+
+KEY-FINGERPRINTS can be a comma separated list of fingerprints, or "any" if you trust all the keys in the public key file.`,
+		RunE: commandAction(opts.run),
 	}
+	flags := cmd.Flags()
+	flags.StringVar(&opts.publicKeyFile, "public-key-file", "", `File containing public keys. If not specified, will use local GPG keys.`)
 	adjustUsage(cmd)
 	return cmd
 }
@@ -77,29 +93,51 @@ func (opts *standaloneVerifyOptions) run(args []string, stdout io.Writer) error
 	}
 	manifestPath := args[0]
 	expectedDockerReference := args[1]
-	expectedFingerprint := args[2]
+	expectedFingerprints := strings.Split(args[2], ",")
 	signaturePath := args[3]

-	unverifiedManifest, err := ioutil.ReadFile(manifestPath)
-	if err != nil {
-		return fmt.Errorf("Error reading manifest from %s: %v", manifestPath, err)
+	if opts.publicKeyFile == "" && len(expectedFingerprints) == 1 && expectedFingerprints[0] == "any" {
+		return fmt.Errorf("Cannot use any fingerprint without a public key file")
 	}
-	unverifiedSignature, err := ioutil.ReadFile(signaturePath)
+	unverifiedManifest, err := os.ReadFile(manifestPath)
 	if err != nil {
-		return fmt.Errorf("Error reading signature from %s: %v", signaturePath, err)
+		return fmt.Errorf("Error reading manifest from %s: %w", manifestPath, err)
+	}
+	unverifiedSignature, err := os.ReadFile(signaturePath)
+	if err != nil {
+		return fmt.Errorf("Error reading signature from %s: %w", signaturePath, err)
 	}

-	mech, err := signature.NewGPGSigningMechanism()
-	if err != nil {
-		return fmt.Errorf("Error initializing GPG: %v", err)
+	var mech signature.SigningMechanism
+	var publicKeyfingerprints []string
+	if opts.publicKeyFile != "" {
+		publicKeys, err := os.ReadFile(opts.publicKeyFile)
+		if err != nil {
+			return fmt.Errorf("Error reading public keys from %s: %w", opts.publicKeyFile, err)
+		}
+		mech, publicKeyfingerprints, err = signature.NewEphemeralGPGSigningMechanism(publicKeys)
+		if err != nil {
+			return fmt.Errorf("Error initializing GPG: %w", err)
+
+		}
+	} else {
+		mech, err = signature.NewGPGSigningMechanism()
+		if err != nil {
+			return fmt.Errorf("Error initializing GPG: %w", err)
+		}
 	}
 	defer mech.Close()
-	sig, err := signature.VerifyDockerManifestSignature(unverifiedSignature, unverifiedManifest, expectedDockerReference, mech, expectedFingerprint)
-	if err != nil {
-		return fmt.Errorf("Error verifying signature: %v", err)
+
+	if len(expectedFingerprints) == 1 && expectedFingerprints[0] == "any" {
+		expectedFingerprints = publicKeyfingerprints
 	}

-	fmt.Fprintf(stdout, "Signature verified, digest %s\n", sig.DockerManifestDigest)
+	sig, verificationFingerprint, err := signature.VerifyImageManifestSignatureUsingKeyIdentityList(unverifiedSignature, unverifiedManifest, expectedDockerReference, mech, expectedFingerprints)
+	if err != nil {
+		return fmt.Errorf("Error verifying signature: %w", err)
+	}
+
+	fmt.Fprintf(stdout, "Signature verified using fingerprint %s, digest %s\n", verificationFingerprint, sig.DockerManifestDigest)
 	return nil
 }

@@ -130,9 +168,9 @@ func (opts *untrustedSignatureDumpOptions) run(args []string, stdout io.Writer)
 	}
 	untrustedSignaturePath := args[0]

-	untrustedSignature, err := ioutil.ReadFile(untrustedSignaturePath)
+	untrustedSignature, err := os.ReadFile(untrustedSignaturePath)
 	if err != nil {
-		return fmt.Errorf("Error reading untrusted signature from %s: %v", untrustedSignaturePath, err)
+		return fmt.Errorf("Error reading untrusted signature from %s: %w", untrustedSignaturePath, err)
 	}

 	untrustedInfo, err := signature.GetUntrustedSignatureInformationWithoutVerifying(untrustedSignature)
--- a/cmd/skopeo/signing_test.go
+++ b/cmd/skopeo/signing_test.go
@@ -2,7 +2,6 @@ package main

 import (
 	"encoding/json"
-	"io/ioutil"
 	"os"
 	"testing"
 	"time"
@@ -25,9 +24,8 @@ const (
 // Test that results of runSkopeo failed with nothing on stdout, and substring
 // within the error message.
 func assertTestFailed(t *testing.T, stdout string, err error, substring string) {
-	assert.Error(t, err)
+	assert.ErrorContains(t, err, substring)
 	assert.Empty(t, stdout)
-	assert.Contains(t, err.Error(), substring)
 }

 func TestStandaloneSign(t *testing.T) {
@@ -40,8 +38,7 @@ func TestStandaloneSign(t *testing.T) {

 	manifestPath := "fixtures/image.manifest.json"
 	dockerReference := "testing/manifest"
-	os.Setenv("GNUPGHOME", "fixtures")
-	defer os.Unsetenv("GNUPGHOME")
+	t.Setenv("GNUPGHOME", "fixtures")

 	// Invalid command-line arguments
 	for _, args := range [][]string{
@@ -78,7 +75,7 @@ func TestStandaloneSign(t *testing.T) {
 	assertTestFailed(t, out, err, "/dev/full")

 	// Success
-	sigOutput, err := ioutil.TempFile("", "sig")
+	sigOutput, err := os.CreateTemp("", "sig")
 	require.NoError(t, err)
 	defer os.Remove(sigOutput.Name())
 	out, err = runSkopeo("standalone-sign", "-o", sigOutput.Name(),
@@ -86,9 +83,9 @@ func TestStandaloneSign(t *testing.T) {
 	require.NoError(t, err)
 	assert.Empty(t, out)

-	sig, err := ioutil.ReadFile(sigOutput.Name())
+	sig, err := os.ReadFile(sigOutput.Name())
 	require.NoError(t, err)
-	manifest, err := ioutil.ReadFile(manifestPath)
+	manifest, err := os.ReadFile(manifestPath)
 	require.NoError(t, err)
 	mech, err = signature.NewGPGSigningMechanism()
 	require.NoError(t, err)
@@ -103,8 +100,7 @@ func TestStandaloneVerify(t *testing.T) {
 	manifestPath := "fixtures/image.manifest.json"
 	signaturePath := "fixtures/image.signature"
 	dockerReference := "testing/manifest"
-	os.Setenv("GNUPGHOME", "fixtures")
-	defer os.Unsetenv("GNUPGHOME")
+	t.Setenv("GNUPGHOME", "fixtures")

 	// Invalid command-line arguments
 	for _, args := range [][]string{
@@ -131,11 +127,36 @@ func TestStandaloneVerify(t *testing.T) {
 		dockerReference, fixturesTestKeyFingerprint, "fixtures/corrupt.signature")
 	assertTestFailed(t, out, err, "Error verifying signature")

+	// Error using any without a public key file
+	out, err = runSkopeo("standalone-verify", manifestPath,
+		dockerReference, "any", signaturePath)
+	assertTestFailed(t, out, err, "Cannot use any fingerprint without a public key file")
+
 	// Success
 	out, err = runSkopeo("standalone-verify", manifestPath,
 		dockerReference, fixturesTestKeyFingerprint, signaturePath)
 	assert.NoError(t, err)
-	assert.Equal(t, "Signature verified, digest "+fixturesTestImageManifestDigest.String()+"\n", out)
+	assert.Equal(t, "Signature verified using fingerprint "+fixturesTestKeyFingerprint+", digest "+fixturesTestImageManifestDigest.String()+"\n", out)
+
+	// Using multiple fingerprints
+	out, err = runSkopeo("standalone-verify", manifestPath,
+		dockerReference, "0123456789ABCDEF0123456789ABCDEF01234567,"+fixturesTestKeyFingerprint+",DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF", signaturePath)
+	assert.NoError(t, err)
+	assert.Equal(t, "Signature verified using fingerprint "+fixturesTestKeyFingerprint+", digest "+fixturesTestImageManifestDigest.String()+"\n", out)
+
+	// Using a public key file
+	t.Setenv("GNUPGHOME", "")
+	out, err = runSkopeo("standalone-verify", "--public-key-file", "fixtures/pubring.gpg", manifestPath,
+		dockerReference, fixturesTestKeyFingerprint, signaturePath)
+	assert.NoError(t, err)
+	assert.Equal(t, "Signature verified using fingerprint "+fixturesTestKeyFingerprint+", digest "+fixturesTestImageManifestDigest.String()+"\n", out)
+
+	// Using a public key file matching any public key
+	t.Setenv("GNUPGHOME", "")
+	out, err = runSkopeo("standalone-verify", "--public-key-file", "fixtures/pubring.gpg", manifestPath,
+		dockerReference, "any", signaturePath)
+	assert.NoError(t, err)
+	assert.Equal(t, "Signature verified using fingerprint "+fixturesTestKeyFingerprint+", digest "+fixturesTestImageManifestDigest.String()+"\n", out)
 }

 func TestUntrustedSignatureDump(t *testing.T) {
--- a/cmd/skopeo/sync.go
+++ b/cmd/skopeo/sync.go
@@ -2,41 +2,58 @@ package main

 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
+	"io/fs"
 	"os"
 	"path"
 	"path/filepath"
 	"regexp"
+	"slices"
 	"strings"

+	"github.com/Masterminds/semver/v3"
+	commonFlag "github.com/containers/common/pkg/flag"
 	"github.com/containers/common/pkg/retry"
 	"github.com/containers/image/v5/copy"
 	"github.com/containers/image/v5/directory"
 	"github.com/containers/image/v5/docker"
 	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/pkg/cli"
+	"github.com/containers/image/v5/pkg/cli/sigstore"
+	"github.com/containers/image/v5/signature/signer"
 	"github.com/containers/image/v5/transports"
 	"github.com/containers/image/v5/types"
 	"github.com/opencontainers/go-digest"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 )

 // syncOptions contains information retrieved from the skopeo sync command line.
 type syncOptions struct {
-	global            *globalOptions    // Global (not command dependent) skopeo options
-	srcImage          *imageOptions     // Source image options
-	destImage         *imageDestOptions // Destination image options
-	retryOpts         *retry.RetryOptions
-	removeSignatures  bool   // Do not copy signatures from the source image
-	signByFingerprint string // Sign the image using a GPG key with the specified fingerprint
-	source            string // Source repository name
-	destination       string // Destination registry name
-	scoped            bool   // When true, namespace copied images at destination using the source repository name
-	all               bool   // Copy all of the images if an image in the source is a list
+	global                   *globalOptions // Global (not command dependent) skopeo options
+	deprecatedTLSVerify      *deprecatedTLSVerifyOption
+	srcImage                 *imageOptions     // Source image options
+	destImage                *imageDestOptions // Destination image options
+	retryOpts                *retry.Options
+	removeSignatures         bool                      // Do not copy signatures from the source image
+	signByFingerprint        string                    // Sign the image using a GPG key with the specified fingerprint
+	signBySigstoreParamFile  string                    // Sign the image using a sigstore signature per configuration in a param file
+	signBySigstorePrivateKey string                    // Sign the image using a sigstore private key
+	signPassphraseFile       string                    // Path pointing to a passphrase file when signing
+	format                   commonFlag.OptionalString // Force conversion of the image to a specified format
+	source                   string                    // Source repository name
+	destination              string                    // Destination registry name
+	digestFile               string                    // Write digest to this file
+	scoped                   bool                      // When true, namespace copied images at destination using the source repository name
+	all                      bool                      // Copy all of the images if an image in the source is a list
+	dryRun                   bool                      // Don't actually copy anything, just output what it would have done
+	preserveDigests          bool                      // Preserve digests during sync
+	keepGoing                bool                      // Whether or not to abort the sync if there are any errors during syncing the images
+	appendSuffix             string                    // Suffix to append to destination image tag
 }

 // repoDescriptor contains information of a single repository used as a sync source.
@@ -46,7 +63,7 @@ type repoDescriptor struct {
 	Context     *types.SystemContext   // SystemContext for the sync command
 }

-// tlsVerify is an implementation of the Unmarshaler interface, used to
+// tlsVerifyConfig is an implementation of the Unmarshaler interface, used to
 // customize the unmarshaling behaviour of the tls-verify YAML key.
 type tlsVerifyConfig struct {
 	skip types.OptionalBool // skip TLS verification check (false by default)
@@ -57,6 +74,7 @@ type tlsVerifyConfig struct {
 type registrySyncConfig struct {
 	Images           map[string][]string    // Images map images name to slices with the images' references (tags, digests)
 	ImagesByTagRegex map[string]string      `yaml:"images-by-tag-regex"` // Images map images name to regular expression with the images' tags
+	ImagesBySemver   map[string]string      `yaml:"images-by-semver"`    // ImagesBySemver maps a repository to a semver constraint (e.g. '>=3.14') to match images' tags to
 	Credentials      types.DockerAuthConfig // Username and password used to authenticate with the registry
 	TLSVerify        tlsVerifyConfig        `yaml:"tls-verify"` // TLS verification mode (enabled by default)
 	CertDir          string                 `yaml:"cert-dir"`   // Path to the TLS certificates of the registry
@@ -67,27 +85,29 @@ type sourceConfig map[string]registrySyncConfig

 func syncCmd(global *globalOptions) *cobra.Command {
 	sharedFlags, sharedOpts := sharedImageFlags()
-	srcFlags, srcOpts := dockerImageFlags(global, sharedOpts, "src-", "screds")
-	destFlags, destOpts := dockerImageFlags(global, sharedOpts, "dest-", "dcreds")
+	deprecatedTLSVerifyFlags, deprecatedTLSVerifyOpt := deprecatedTLSVerifyFlags()
+	srcFlags, srcOpts := dockerImageFlags(global, sharedOpts, deprecatedTLSVerifyOpt, "src-", "screds")
+	destFlags, destOpts := dockerImageFlags(global, sharedOpts, deprecatedTLSVerifyOpt, "dest-", "dcreds")
 	retryFlags, retryOpts := retryFlags()

 	opts := syncOptions{
-		global:    global,
-		srcImage:  srcOpts,
-		destImage: &imageDestOptions{imageOptions: destOpts},
-		retryOpts: retryOpts,
+		global:              global,
+		deprecatedTLSVerify: deprecatedTLSVerifyOpt,
+		srcImage:            srcOpts,
+		destImage:           &imageDestOptions{imageOptions: destOpts},
+		retryOpts:           retryOpts,
 	}

 	cmd := &cobra.Command{
-		Use:   "sync [command options] --src SOURCE-LOCATION --dest DESTINATION-LOCATION SOURCE DESTINATION",
+		Use:   "sync [command options] --src TRANSPORT --dest TRANSPORT SOURCE DESTINATION",
 		Short: "Synchronize one or more images from one location to another",
-		Long: fmt.Sprint(`Copy all the images from a SOURCE to a DESTINATION.
+		Long: `Copy all the images from a SOURCE to a DESTINATION.

 Allowed SOURCE transports (specified with --src): docker, dir, yaml.
 Allowed DESTINATION transports (specified with --dest): docker, dir.

 See skopeo-sync(1) for details.
-`),
+`,
 		RunE:    commandAction(opts.run),
 		Example: `skopeo sync --src docker --dest dir --scoped registry.example.com/busybox /media/usb`,
 	}
@@ -95,24 +115,34 @@ See skopeo-sync(1) for details.
 	flags := cmd.Flags()
 	flags.BoolVar(&opts.removeSignatures, "remove-signatures", false, "Do not copy signatures from SOURCE images")
 	flags.StringVar(&opts.signByFingerprint, "sign-by", "", "Sign the image using a GPG key with the specified `FINGERPRINT`")
+	flags.StringVar(&opts.signBySigstoreParamFile, "sign-by-sigstore", "", "Sign the image using a sigstore parameter file at `PATH`")
+	flags.StringVar(&opts.signBySigstorePrivateKey, "sign-by-sigstore-private-key", "", "Sign the image using a sigstore private key at `PATH`")
+	flags.StringVar(&opts.signPassphraseFile, "sign-passphrase-file", "", "File that contains a passphrase for the --sign-by key")
+	flags.VarP(commonFlag.NewOptionalStringValue(&opts.format), "format", "f", `MANIFEST TYPE (oci, v2s1, or v2s2) to use when syncing image(s) to a destination (default is manifest type of source, with fallbacks)`)
 	flags.StringVarP(&opts.source, "src", "s", "", "SOURCE transport type")
 	flags.StringVarP(&opts.destination, "dest", "d", "", "DESTINATION transport type")
 	flags.BoolVar(&opts.scoped, "scoped", false, "Images at DESTINATION are prefix using the full source image path as scope")
+	flags.StringVar(&opts.appendSuffix, "append-suffix", "", "String to append to DESTINATION tags")
+	flags.StringVar(&opts.digestFile, "digestfile", "", "Write the digests and Image References of the resulting images to the specified file, separated by newlines")
 	flags.BoolVarP(&opts.all, "all", "a", false, "Copy all images if SOURCE-IMAGE is a list")
+	flags.BoolVar(&opts.dryRun, "dry-run", false, "Run without actually copying data")
+	flags.BoolVar(&opts.preserveDigests, "preserve-digests", false, "Preserve digests of images and lists")
+	flags.BoolVarP(&opts.keepGoing, "keep-going", "", false, "Do not abort the sync if any image copy fails")
 	flags.AddFlagSet(&sharedFlags)
+	flags.AddFlagSet(&deprecatedTLSVerifyFlags)
 	flags.AddFlagSet(&srcFlags)
 	flags.AddFlagSet(&destFlags)
 	flags.AddFlagSet(&retryFlags)
 	return cmd
 }

-// unmarshalYAML is the implementation of the Unmarshaler interface method
-// method for the tlsVerifyConfig type.
+// UnmarshalYAML is the implementation of the Unmarshaler interface method
+// for the tlsVerifyConfig type.
 // It unmarshals the 'tls-verify' YAML key so that, when they key is not
 // specified, tls verification is enforced.
-func (tls *tlsVerifyConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
+func (tls *tlsVerifyConfig) UnmarshalYAML(value *yaml.Node) error {
 	var verify bool
-	if err := unmarshal(&verify); err != nil {
+	if err := value.Decode(&verify); err != nil {
 		return err
 	}

@@ -124,13 +154,13 @@ func (tls *tlsVerifyConfig) UnmarshalYAML(unmarshal func(interface{}) error) err
 // It returns a new unmarshaled sourceConfig object and any error encountered.
 func newSourceConfig(yamlFile string) (sourceConfig, error) {
 	var cfg sourceConfig
-	source, err := ioutil.ReadFile(yamlFile)
+	source, err := os.ReadFile(yamlFile)
 	if err != nil {
 		return cfg, err
 	}
 	err = yaml.Unmarshal(source, &cfg)
 	if err != nil {
-		return cfg, errors.Wrapf(err, "Failed to unmarshal %q", yamlFile)
+		return cfg, fmt.Errorf("Failed to unmarshal %q: %w", yamlFile, err)
 	}
 	return cfg, nil
 }
@@ -142,7 +172,7 @@ func parseRepositoryReference(input string) (reference.Named, error) {
 		return nil, err
 	}
 	if !reference.IsNameOnly(ref) {
-		return nil, errors.Errorf("input names a reference, not a repository")
+		return nil, errors.New("input names a reference, not a repository")
 	}
 	return ref, nil
 }
@@ -160,24 +190,24 @@ func destinationReference(destination string, transport string) (types.ImageRefe
 	case directory.Transport.Name():
 		_, err := os.Stat(destination)
 		if err == nil {
-			return nil, errors.Errorf("Refusing to overwrite destination directory %q", destination)
+			return nil, fmt.Errorf("Refusing to overwrite destination directory %q", destination)
 		}
 		if !os.IsNotExist(err) {
-			return nil, errors.Wrap(err, "Destination directory could not be used")
+			return nil, fmt.Errorf("Destination directory could not be used: %w", err)
 		}
 		// the directory holding the image must be created here
 		if err = os.MkdirAll(destination, 0755); err != nil {
-			return nil, errors.Wrapf(err, "Error creating directory for image %s", destination)
+			return nil, fmt.Errorf("Error creating directory for image %s: %w", destination, err)
 		}
 		imageTransport = directory.Transport
 	default:
-		return nil, errors.Errorf("%q is not a valid destination transport", transport)
+		return nil, fmt.Errorf("%q is not a valid destination transport", transport)
 	}
 	logrus.Debugf("Destination for transport %q: %s", transport, destination)

 	destRef, err := imageTransport.ParseReference(destination)
 	if err != nil {
-		return nil, errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %q", imageTransport.Name(), destination)
+		return nil, fmt.Errorf("Cannot obtain a valid image reference for transport %q and reference %q: %w", imageTransport.Name(), destination, err)
 	}

 	return destRef, nil
@@ -197,17 +227,8 @@ func getImageTags(ctx context.Context, sysCtx *types.SystemContext, repoRef refe
 		return nil, err // Should never happen for a reference with tag and no digest
 	}
 	tags, err := docker.GetRepositoryTags(ctx, sysCtx, dockerRef)
-
-	switch err := err.(type) {
-	case nil:
-		break
-	case docker.ErrUnauthorizedForCredentials:
-		// Some registries may decide to block the "list all tags" endpoint.
-		// Gracefully allow the sync to continue in this case.
-		logrus.Warnf("Registry disallows tag list retrieval: %s", err)
-		break
-	default:
-		return tags, errors.Wrapf(err, "Error determining repository tags for image %s", name)
+	if err != nil {
+		return nil, fmt.Errorf("Error determining repository tags for repo %s: %w", name, err)
 	}

 	return tags, nil
@@ -227,32 +248,36 @@ func imagesToCopyFromRepo(sys *types.SystemContext, repoRef reference.Named) ([]
 	for _, tag := range tags {
 		taggedRef, err := reference.WithTag(repoRef, tag)
 		if err != nil {
-			return nil, errors.Wrapf(err, "Error creating a reference for repository %s and tag %q", repoRef.Name(), tag)
+			logrus.WithFields(logrus.Fields{
+				"repo": repoRef.Name(),
+				"tag":  tag,
+			}).Errorf("Error creating a tagged reference from registry tag list: %v", err)
+			continue
 		}
 		ref, err := docker.NewReference(taggedRef)
 		if err != nil {
-			return nil, errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %s", docker.Transport.Name(), taggedRef.String())
+			return nil, fmt.Errorf("Cannot obtain a valid image reference for transport %q and reference %s: %w", docker.Transport.Name(), taggedRef.String(), err)
 		}
 		sourceReferences = append(sourceReferences, ref)
 	}
 	return sourceReferences, nil
 }

-// imagesTopCopyFromDir builds a list of image references from the images found
+// imagesToCopyFromDir builds a list of image references from the images found
 // in the source directory.
 // It returns an image reference slice with as many elements as the images found
 // and any error encountered.
 func imagesToCopyFromDir(dirPath string) ([]types.ImageReference, error) {
 	var sourceReferences []types.ImageReference
-	err := filepath.Walk(dirPath, func(path string, info os.FileInfo, err error) error {
+	err := filepath.WalkDir(dirPath, func(path string, d fs.DirEntry, err error) error {
 		if err != nil {
 			return err
 		}
-		if !info.IsDir() && info.Name() == "manifest.json" {
+		if !d.IsDir() && d.Name() == "manifest.json" {
 			dirname := filepath.Dir(path)
 			ref, err := directory.Transport.ParseReference(dirname)
 			if err != nil {
-				return errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %q", directory.Transport.Name(), dirname)
+				return fmt.Errorf("Cannot obtain a valid image reference for transport %q and reference %q: %w", directory.Transport.Name(), dirname, err)
 			}
 			sourceReferences = append(sourceReferences, ref)
 			return filepath.SkipDir
@@ -262,13 +287,13 @@ func imagesToCopyFromDir(dirPath string) ([]types.ImageReference, error) {

 	if err != nil {
 		return sourceReferences,
-			errors.Wrapf(err, "Error walking the path %q", dirPath)
+			fmt.Errorf("Error walking the path %q: %w", dirPath, err)
 	}

 	return sourceReferences, nil
 }

-// imagesTopCopyFromDir builds a list of repository descriptors from the images
+// imagesToCopyFromRegistry builds a list of repository descriptors from the images
 // in a registry configuration.
 // It returns a repository descriptors slice with as many elements as the images
 // found and any error encountered. Each element of the slice is a list of
@@ -284,6 +309,14 @@ func imagesToCopyFromRegistry(registryName string, cfg registrySyncConfig, sourc
 		serverCtx.DockerAuthConfig = &cfg.Credentials
 	}
 	var repoDescList []repoDescriptor
+
+	if len(cfg.Images) == 0 && len(cfg.ImagesByTagRegex) == 0 && len(cfg.ImagesBySemver) == 0 {
+		logrus.WithFields(logrus.Fields{
+			"registry": registryName,
+		}).Warn("No images specified for registry")
+		return repoDescList, nil
+	}
+
 	for imageName, refs := range cfg.Images {
 		repoLogger := logrus.WithFields(logrus.Fields{
 			"repo":     imageName,
@@ -348,63 +381,146 @@ func imagesToCopyFromRegistry(registryName string, cfg registrySyncConfig, sourc
 			Context:   serverCtx})
 	}

-	for imageName, tagRegex := range cfg.ImagesByTagRegex {
-		repoLogger := logrus.WithFields(logrus.Fields{
-			"repo":     imageName,
-			"registry": registryName,
-		})
-		repoRef, err := parseRepositoryReference(fmt.Sprintf("%s/%s", registryName, imageName))
+	// include repository descriptors for cfg.ImagesByTagRegex
+	{
+		filterCollection, err := tagRegexFilterCollection(cfg.ImagesByTagRegex)
 		if err != nil {
-			repoLogger.Error("Error parsing repository name, skipping")
 			logrus.Error(err)
-			continue
+		} else {
+			additionalRepoDescList := filterSourceReferences(serverCtx, registryName, filterCollection)
+			repoDescList = append(repoDescList, additionalRepoDescList...)
 		}
+	}

-		repoLogger.Info("Processing repo")
-
-		var sourceReferences []types.ImageReference
-
-		tagReg, err := regexp.Compile(tagRegex)
+	// include repository descriptors for cfg.ImagesBySemver
+	{
+		filterCollection, err := semverFilterCollection(cfg.ImagesBySemver)
 		if err != nil {
-			repoLogger.WithFields(logrus.Fields{
-				"regex": tagRegex,
-			}).Error("Error parsing regex, skipping")
 			logrus.Error(err)
-			continue
+		} else {
+			additionalRepoDescList := filterSourceReferences(serverCtx, registryName, filterCollection)
+			repoDescList = append(repoDescList, additionalRepoDescList...)
 		}
-
-		repoLogger.Info("Querying registry for image tags")
-		allSourceReferences, err := imagesToCopyFromRepo(serverCtx, repoRef)
-		if err != nil {
-			repoLogger.Error("Error processing repo, skipping")
-			logrus.Error(err)
-			continue
-		}
-
-		repoLogger.Infof("Start filtering using the regular expression: %v", tagRegex)
-		for _, sReference := range allSourceReferences {
-			tagged, isTagged := sReference.DockerReference().(reference.Tagged)
-			if !isTagged {
-				repoLogger.Errorf("Internal error, reference %s does not have a tag, skipping", sReference.DockerReference())
-				continue
-			}
-			if tagReg.MatchString(tagged.Tag()) {
-				sourceReferences = append(sourceReferences, sReference)
-			}
-		}
-
-		if len(sourceReferences) == 0 {
-			repoLogger.Warnf("No refs to sync found")
-			continue
-		}
-		repoDescList = append(repoDescList, repoDescriptor{
-			ImageRefs: sourceReferences,
-			Context:   serverCtx})
 	}

 	return repoDescList, nil
 }

+// filterFunc is a function used to limit the initial set of image references
+// using tags, patterns, semver, etc.
+type filterFunc func(*logrus.Entry, types.ImageReference) bool
+
+// filterCollection is a map of repository names to filter functions.
+type filterCollection map[string]filterFunc
+
+// filterSourceReferences lists tags for images specified in the collection and
+// filters them using assigned filter functions.
+// It returns a list of repoDescriptors.
+func filterSourceReferences(sys *types.SystemContext, registryName string, collection filterCollection) []repoDescriptor {
+	var repoDescList []repoDescriptor
+	for repoName, filter := range collection {
+		logger := logrus.WithFields(logrus.Fields{
+			"repo":     repoName,
+			"registry": registryName,
+		})
+
+		repoRef, err := parseRepositoryReference(fmt.Sprintf("%s/%s", registryName, repoName))
+		if err != nil {
+			logger.Error("Error parsing repository name, skipping")
+			logrus.Error(err)
+			continue
+		}
+
+		logger.Info("Processing repo")
+
+		var sourceReferences []types.ImageReference
+
+		logger.Info("Querying registry for image tags")
+		sourceReferences, err = imagesToCopyFromRepo(sys, repoRef)
+		if err != nil {
+			logger.Error("Error processing repo, skipping")
+			logrus.Error(err)
+			continue
+		}
+
+		var filteredSourceReferences []types.ImageReference
+		for _, ref := range sourceReferences {
+			if filter(logger, ref) {
+				filteredSourceReferences = append(filteredSourceReferences, ref)
+			}
+		}
+
+		if len(filteredSourceReferences) == 0 {
+			logger.Warnf("No refs to sync found")
+			continue
+		}
+
+		repoDescList = append(repoDescList, repoDescriptor{
+			ImageRefs: filteredSourceReferences,
+			Context:   sys,
+		})
+	}
+	return repoDescList
+}
+
+// tagRegexFilterCollection converts a map of (repository name, tag regex) pairs
+// into a filterCollection, which is a map of (repository name, filter function)
+// pairs.
+func tagRegexFilterCollection(collection map[string]string) (filterCollection, error) {
+	filters := filterCollection{}
+
+	for repoName, tagRegex := range collection {
+		pattern, err := regexp.Compile(tagRegex)
+		if err != nil {
+			return nil, err
+		}
+
+		f := func(logger *logrus.Entry, sourceReference types.ImageReference) bool {
+			tagged, isTagged := sourceReference.DockerReference().(reference.Tagged)
+			if !isTagged {
+				logger.Errorf("Internal error, reference %s does not have a tag, skipping", sourceReference.DockerReference())
+				return false
+			}
+			return pattern.MatchString(tagged.Tag())
+		}
+		filters[repoName] = f
+	}
+
+	return filters, nil
+}
+
+// semverFilterCollection converts a map of (repository name, array of semver constraints) pairs
+// into a filterCollection, which is a map of (repository name, filter function)
+// pairs.
+func semverFilterCollection(collection map[string]string) (filterCollection, error) {
+	filters := filterCollection{}
+
+	for repoName, constraintString := range collection {
+		constraint, err := semver.NewConstraint(constraintString)
+		if err != nil {
+			return nil, err
+		}
+
+		f := func(logger *logrus.Entry, sourceReference types.ImageReference) bool {
+			tagged, isTagged := sourceReference.DockerReference().(reference.Tagged)
+			if !isTagged {
+				logger.Errorf("Internal error, reference %s does not have a tag, skipping", sourceReference.DockerReference())
+				return false
+			}
+			tagVersion, err := semver.NewVersion(tagged.Tag())
+			if err != nil {
+				logger.Tracef("Tag %q cannot be parsed as semver, skipping", tagged.Tag())
+				return false
+			}
+			return constraint.Check(tagVersion)
+		}
+
+		filters[repoName] = f
+	}
+
+	return filters, nil
+}
+
 // imagesToCopy retrieves all the images to copy from a specified sync source
 // and transport.
 // It returns a slice of repository descriptors, where each descriptor is a
@@ -420,7 +536,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 		}
 		named, err := reference.ParseNormalizedNamed(source) // May be a repository or an image.
 		if err != nil {
-			return nil, errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %q", docker.Transport.Name(), source)
+			return nil, fmt.Errorf("Cannot obtain a valid image reference for transport %q and reference %q: %w", docker.Transport.Name(), source, err)
 		}
 		imageTagged := !reference.IsNameOnly(named)
 		logrus.WithFields(logrus.Fields{
@@ -430,7 +546,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 		if imageTagged {
 			srcRef, err := docker.NewReference(named)
 			if err != nil {
-				return nil, errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %q", docker.Transport.Name(), named.String())
+				return nil, fmt.Errorf("Cannot obtain a valid image reference for transport %q and reference %q: %w", docker.Transport.Name(), named.String(), err)
 			}
 			desc.ImageRefs = []types.ImageReference{srcRef}
 		} else {
@@ -439,7 +555,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 				return descriptors, err
 			}
 			if len(desc.ImageRefs) == 0 {
-				return descriptors, errors.Errorf("No images to sync found in %q", source)
+				return descriptors, fmt.Errorf("No images to sync found in %q", source)
 			}
 		}
 		descriptors = append(descriptors, desc)
@@ -450,7 +566,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 		}

 		if _, err := os.Stat(source); err != nil {
-			return descriptors, errors.Wrap(err, "Invalid source directory specified")
+			return descriptors, fmt.Errorf("Invalid source directory specified: %w", err)
 		}
 		desc.DirBasePath = source
 		var err error
@@ -459,7 +575,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 			return descriptors, err
 		}
 		if len(desc.ImageRefs) == 0 {
-			return descriptors, errors.Errorf("No images to sync found in %q", source)
+			return descriptors, fmt.Errorf("No images to sync found in %q", source)
 		}
 		descriptors = append(descriptors, desc)

@@ -469,16 +585,9 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 			return descriptors, err
 		}
 		for registryName, registryConfig := range cfg {
-			if len(registryConfig.Images) == 0 && len(registryConfig.ImagesByTagRegex) == 0 {
-				logrus.WithFields(logrus.Fields{
-					"registry": registryName,
-				}).Warn("No images specified for registry")
-				continue
-			}
-
 			descs, err := imagesToCopyFromRegistry(registryName, registryConfig, *sourceCtx)
 			if err != nil {
-				return descriptors, errors.Wrapf(err, "Failed to retrieve list of images from registry %q", registryName)
+				return descriptors, fmt.Errorf("Failed to retrieve list of images from registry %q: %w", registryName, err)
 			}
 			descriptors = append(descriptors, descs...)
 		}
@@ -487,45 +596,43 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 	return descriptors, nil
 }

-func (opts *syncOptions) run(args []string, stdout io.Writer) error {
+func (opts *syncOptions) run(args []string, stdout io.Writer) (retErr error) {
 	if len(args) != 2 {
 		return errorShouldDisplayUsage{errors.New("Exactly two arguments expected")}
 	}
+	opts.deprecatedTLSVerify.warnIfUsed([]string{"--src-tls-verify", "--dest-tls-verify"})

 	policyContext, err := opts.global.getPolicyContext()
 	if err != nil {
-		return errors.Wrapf(err, "Error loading trust policy")
+		return fmt.Errorf("Error loading trust policy: %w", err)
 	}
-	defer policyContext.Destroy()
+	defer func() {
+		if err := policyContext.Destroy(); err != nil {
+			retErr = noteCloseFailure(retErr, "tearing down policy context", err)
+		}
+	}()

 	// validate source and destination options
-	contains := func(val string, list []string) (_ bool) {
-		for _, l := range list {
-			if l == val {
-				return true
-			}
-		}
-		return
-	}
-
 	if len(opts.source) == 0 {
 		return errors.New("A source transport must be specified")
 	}
-	if !contains(opts.source, []string{docker.Transport.Name(), directory.Transport.Name(), "yaml"}) {
-		return errors.Errorf("%q is not a valid source transport", opts.source)
+	if !slices.Contains([]string{docker.Transport.Name(), directory.Transport.Name(), "yaml"}, opts.source) {
+		return fmt.Errorf("%q is not a valid source transport", opts.source)
 	}

 	if len(opts.destination) == 0 {
 		return errors.New("A destination transport must be specified")
 	}
-	if !contains(opts.destination, []string{docker.Transport.Name(), directory.Transport.Name()}) {
-		return errors.Errorf("%q is not a valid destination transport", opts.destination)
+	if !slices.Contains([]string{docker.Transport.Name(), directory.Transport.Name()}, opts.destination) {
+		return fmt.Errorf("%q is not a valid destination transport", opts.destination)
 	}

 	if opts.source == opts.destination && opts.source == directory.Transport.Name() {
 		return errors.New("sync from 'dir' to 'dir' not implemented, consider using rsync instead")
 	}

+	opts.destImage.warnAboutIneffectiveOptions(transports.Get(opts.destination))
+
 	imageListSelection := copy.CopySystemImage
 	if opts.all {
 		imageListSelection = copy.CopyAllImages
@@ -536,12 +643,20 @@ func (opts *syncOptions) run(args []string, stdout io.Writer) error {
 		return err
 	}

+	var manifestType string
+	if opts.format.Present() {
+		manifestType, err = parseManifestFormat(opts.format.Value())
+		if err != nil {
+			return err
+		}
+	}
+
 	ctx, cancel := opts.global.commandTimeoutContext()
 	defer cancel()

 	sourceArg := args[0]
 	var srcRepoList []repoDescriptor
-	if err = retry.RetryIfNecessary(ctx, func() error {
+	if err = retry.IfNecessary(ctx, func() error {
 		srcRepoList, err = imagesToCopy(sourceArg, opts.source, sourceCtx)
 		return err
 	}, opts.retryOpts); err != nil {
@@ -554,19 +669,81 @@ func (opts *syncOptions) run(args []string, stdout io.Writer) error {
 		return err
 	}

-	imagesNumber := 0
+	// c/image/copy.Image does allow creating both simple signing and sigstore signatures simultaneously,
+	// with independent passphrases, but that would make the CLI probably too confusing.
+	// For now, use the passphrase with either, but only one of them.
+	if opts.signPassphraseFile != "" && opts.signByFingerprint != "" && opts.signBySigstorePrivateKey != "" {
+		return fmt.Errorf("Only one of --sign-by and sign-by-sigstore-private-key can be used with sign-passphrase-file")
+	}
+	var passphrase string
+	if opts.signPassphraseFile != "" {
+		p, err := cli.ReadPassphraseFile(opts.signPassphraseFile)
+		if err != nil {
+			return err
+		}
+		passphrase = p
+	} else if opts.signBySigstorePrivateKey != "" {
+		p, err := promptForPassphrase(opts.signBySigstorePrivateKey, os.Stdin, os.Stdout)
+		if err != nil {
+			return err
+		}
+		passphrase = p
+	}
+
+	var signers []*signer.Signer
+	if opts.signBySigstoreParamFile != "" {
+		signer, err := sigstore.NewSignerFromParameterFile(opts.signBySigstoreParamFile, &sigstore.Options{
+			PrivateKeyPassphrasePrompt: func(keyFile string) (string, error) {
+				return promptForPassphrase(keyFile, os.Stdin, os.Stdout)
+			},
+			Stdin:  os.Stdin,
+			Stdout: stdout,
+		})
+		if err != nil {
+			return fmt.Errorf("Error using --sign-by-sigstore: %w", err)
+		}
+		defer signer.Close()
+		signers = append(signers, signer)
+	}
+
 	options := copy.Options{
-		RemoveSignatures:   opts.removeSignatures,
-		SignBy:             opts.signByFingerprint,
-		ReportWriter:       os.Stdout,
-		DestinationCtx:     destinationCtx,
-		ImageListSelection: imageListSelection,
+		RemoveSignatures:                      opts.removeSignatures,
+		Signers:                               signers,
+		SignBy:                                opts.signByFingerprint,
+		SignPassphrase:                        passphrase,
+		SignBySigstorePrivateKeyFile:          opts.signBySigstorePrivateKey,
+		SignSigstorePrivateKeyPassphrase:      []byte(passphrase),
+		ReportWriter:                          stdout,
+		DestinationCtx:                        destinationCtx,
+		ImageListSelection:                    imageListSelection,
+		PreserveDigests:                       opts.preserveDigests,
+		OptimizeDestinationImageAlreadyExists: true,
+		ForceManifestMIMEType:                 manifestType,
+	}
+	errorsPresent := false
+	imagesNumber := 0
+	if opts.dryRun {
+		logrus.Warn("Running in dry-run mode")
+	}
+
+	var digestFile *os.File
+	if opts.digestFile != "" && !opts.dryRun {
+		digestFile, err = os.OpenFile(opts.digestFile, os.O_TRUNC|os.O_CREATE|os.O_WRONLY, 0644)
+		if err != nil {
+			return fmt.Errorf("Error creating digest file: %w", err)
+		}
+		defer func() {
+			if err := digestFile.Close(); err != nil {
+				retErr = noteCloseFailure(retErr, "closing digest file", err)
+			}
+		}()
 	}

 	for _, srcRepo := range srcRepoList {
 		options.SourceCtx = srcRepo.Context
 		for counter, ref := range srcRepo.ImageRefs {
 			var destSuffix string
+			var manifestBytes []byte
 			switch ref.Transport() {
 			case docker.Transport:
 				// docker -> dir or docker -> docker
@@ -584,26 +761,56 @@ func (opts *syncOptions) run(args []string, stdout io.Writer) error {
 				destSuffix = path.Base(destSuffix)
 			}

-			destRef, err := destinationReference(path.Join(destination, destSuffix), opts.destination)
+			destRef, err := destinationReference(path.Join(destination, destSuffix)+opts.appendSuffix, opts.destination)
 			if err != nil {
 				return err
 			}

-			logrus.WithFields(logrus.Fields{
+			fromToFields := logrus.Fields{
 				"from": transports.ImageName(ref),
 				"to":   transports.ImageName(destRef),
-			}).Infof("Copying image ref %d/%d", counter+1, len(srcRepo.ImageRefs))
-
-			if err = retry.RetryIfNecessary(ctx, func() error {
-				_, err = copy.Image(ctx, policyContext, destRef, ref, &options)
-				return err
-			}, opts.retryOpts); err != nil {
-				return errors.Wrapf(err, "Error copying ref %q", transports.ImageName(ref))
 			}
+			if opts.dryRun {
+				logrus.WithFields(fromToFields).Infof("Would have copied image ref %d/%d", counter+1, len(srcRepo.ImageRefs))
+			} else {
+				logrus.WithFields(fromToFields).Infof("Copying image ref %d/%d", counter+1, len(srcRepo.ImageRefs))
+				if err = retry.IfNecessary(ctx, func() error {
+					manifestBytes, err = copy.Image(ctx, policyContext, destRef, ref, &options)
+					return err
+				}, opts.retryOpts); err != nil {
+					if !opts.keepGoing {
+						return fmt.Errorf("Error copying ref %q: %w", transports.ImageName(ref), err)
+					}
+					// log the error, keep a note that there was a failure and move on to the next
+					// image ref
+					errorsPresent = true
+					logrus.WithError(err).Errorf("Error copying ref %q", transports.ImageName(ref))
+					continue
+				}
+				// Ensure that we log the manifest digest to a file only if the copy operation was successful
+				if opts.digestFile != "" {
+					manifestDigest, err := manifest.Digest(manifestBytes)
+					if err != nil {
+						return err
+					}
+					outputStr := fmt.Sprintf("%s %s", manifestDigest.String(), transports.ImageName(destRef))
+					if _, err = digestFile.WriteString(outputStr + "\n"); err != nil {
+						return fmt.Errorf("Failed to write digest to file %q: %w", opts.digestFile, err)
+					}
+				}
+			}
+
 			imagesNumber++
 		}
 	}

-	logrus.Infof("Synced %d images from %d sources", imagesNumber, len(srcRepoList))
-	return nil
+	if opts.dryRun {
+		logrus.Infof("Would have synced %d images from %d sources", imagesNumber, len(srcRepoList))
+	} else {
+		logrus.Infof("Synced %d images from %d sources", imagesNumber, len(srcRepoList))
+	}
+	if !errorsPresent {
+		return nil
+	}
+	return errors.New("Sync failed due to previous reported error(s) for one or more images")
 }
--- a/cmd/skopeo/sync_test.go
+++ b/cmd/skopeo/sync_test.go
@@ -0,0 +1,61 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/containers/image/v5/types"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gopkg.in/yaml.v3"
+)
+
+var _ yaml.Unmarshaler = (*tlsVerifyConfig)(nil)
+
+func TestTLSVerifyConfig(t *testing.T) {
+	type container struct { // An example of a larger config file
+		TLSVerify tlsVerifyConfig `yaml:"tls-verify"`
+	}
+
+	for _, c := range []struct {
+		input    string
+		expected tlsVerifyConfig
+	}{
+		{
+			input:    `tls-verify: true`,
+			expected: tlsVerifyConfig{skip: types.OptionalBoolFalse},
+		},
+		{
+			input:    `tls-verify: false`,
+			expected: tlsVerifyConfig{skip: types.OptionalBoolTrue},
+		},
+		{
+			input:    ``, // No value
+			expected: tlsVerifyConfig{skip: types.OptionalBoolUndefined},
+		},
+	} {
+		config := container{}
+		err := yaml.Unmarshal([]byte(c.input), &config)
+		require.NoError(t, err, c.input)
+		assert.Equal(t, c.expected, config.TLSVerify, c.input)
+	}
+
+	// Invalid input
+	config := container{}
+	err := yaml.Unmarshal([]byte(`tls-verify: "not a valid bool"`), &config)
+	assert.Error(t, err)
+}
+
+func TestSync(t *testing.T) {
+	// Invalid command-line arguments
+	for _, args := range [][]string{
+		{},
+		{"a1"},
+		{"a1", "a2", "a3"},
+	} {
+		out, err := runSkopeo(append([]string{"sync"}, args...)...)
+		assertTestFailed(t, out, err, "Exactly two arguments expected")
+	}
+
+	// FIXME: Much more test coverage
+	// Actual feature tests exist in integration and systemtest
+}
--- a/cmd/skopeo/unshare.go
+++ b/cmd/skopeo/unshare.go
@@ -1,11 +1,8 @@
+//go:build !linux
 // +build !linux

 package main

-func maybeReexec() error {
-	return nil
-}
-
-func reexecIfNecessaryForImages(inputImageNames ...string) error {
+func reexecIfNecessaryForImages(_ ...string) error {
 	return nil
 }
--- a/cmd/skopeo/unshare_linux.go
+++ b/cmd/skopeo/unshare_linux.go
@@ -1,10 +1,12 @@
 package main

 import (
+	"fmt"
+	"slices"
+
 	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/containers/storage/pkg/unshare"
-	"github.com/pkg/errors"
-	"github.com/syndtr/gocapability/capability"
+	"github.com/moby/sys/capability"
 )

 var neededCapabilities = []capability.Cap{
@@ -20,29 +22,32 @@ func maybeReexec() error {
 	// With Skopeo we need only the subset of the root capabilities necessary
 	// for pulling an image to the storage.  Do not attempt to create a namespace
 	// if we already have the capabilities we need.
-	capabilities, err := capability.NewPid(0)
+	capabilities, err := capability.NewPid2(0)
 	if err != nil {
-		return errors.Wrapf(err, "error reading the current capabilities sets")
+		return fmt.Errorf("error reading the current capabilities sets: %w", err)
 	}
-	for _, cap := range neededCapabilities {
-		if !capabilities.Get(capability.EFFECTIVE, cap) {
-			// We miss a capability we need, create a user namespaces
-			unshare.MaybeReexecUsingUserNamespace(true)
-			return nil
-		}
+	if err := capabilities.Load(); err != nil {
+		return fmt.Errorf("error loading the current capabilities sets: %w", err)
+	}
+	if slices.ContainsFunc(neededCapabilities, func(cap capability.Cap) bool {
+		return !capabilities.Get(capability.EFFECTIVE, cap)
+	}) {
+		// We miss a capability we need, create a user namespaces
+		unshare.MaybeReexecUsingUserNamespace(true)
+		return nil
 	}
 	return nil
 }

 func reexecIfNecessaryForImages(imageNames ...string) error {
 	// Check if container-storage is used before doing unshare
-	for _, imageName := range imageNames {
+	if slices.ContainsFunc(imageNames, func(imageName string) bool {
 		transport := alltransports.TransportFromImageName(imageName)
 		// Hard-code the storage name to avoid a reference on c/image/storage.
 		// See https://github.com/containers/skopeo/issues/771#issuecomment-563125006.
-		if transport != nil && transport.Name() == "containers-storage" {
-			return maybeReexec()
-		}
+		return transport != nil && transport.Name() == "containers-storage"
+	}) {
+		return maybeReexec()
 	}
 	return nil
 }
--- a/cmd/skopeo/utils.go
+++ b/cmd/skopeo/utils.go
@@ -2,24 +2,57 @@ package main

 import (
 	"context"
+	"errors"
+	"fmt"
 	"io"
 	"os"
 	"strings"
+	"time"

+	commonFlag "github.com/containers/common/pkg/flag"
 	"github.com/containers/common/pkg/retry"
+	"github.com/containers/image/v5/directory"
+	"github.com/containers/image/v5/manifest"
+	ocilayout "github.com/containers/image/v5/oci/layout"
 	"github.com/containers/image/v5/pkg/compression"
+	"github.com/containers/image/v5/storage"
 	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/containers/image/v5/types"
-	"github.com/pkg/errors"
+	dockerdistributionerrcode "github.com/docker/distribution/registry/api/errcode"
+	dockerdistributionapi "github.com/docker/distribution/registry/api/v2"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
+	"golang.org/x/term"
 )

-// errorShouldDisplayUsage is a subtype of error used by command handlers to indicate that cli.ShowSubcommandHelp should be called.
+// errorShouldDisplayUsage is a subtype of error used by command handlers to indicate that the command’s help should be included.
 type errorShouldDisplayUsage struct {
 	error
 }

+// noteCloseFailure returns (possibly-nil) err modified to account for (non-nil) closeErr.
+// The error for closeErr is annotated with description (which is not a format string)
+// Typical usage:
+//
+//	defer func() {
+//		if err := something.Close(); err != nil {
+//			returnedErr = noteCloseFailure(returnedErr, "closing something", err)
+//		}
+//	}
+func noteCloseFailure(err error, description string, closeErr error) error {
+	// We don’t accept a Closer() and close it ourselves because signature.PolicyContext has .Destroy(), not .Close().
+	// This also makes it harder for a caller to do
+	//     defer noteCloseFailure(returnedErr, …)
+	// which doesn’t use the right value of returnedErr, and doesn’t update it.
+	if err == nil {
+		return fmt.Errorf("%s: %w", description, closeErr)
+	}
+	// In this case we prioritize the primary error for use with %w; closeErr is usually less relevant, or might be a consequence of the primary error.
+	return fmt.Errorf("%w (%s: %v)", err, description, closeErr)
+}
+
 // commandAction intermediates between the RunE interface and the real handler,
 // primarily to ensure that cobra.Command is not available to the handler, which in turn
 // makes sure that the cmd.Flags() etc. flag access functions are not used,
@@ -28,13 +61,44 @@ type errorShouldDisplayUsage struct {
 func commandAction(handler func(args []string, stdout io.Writer) error) func(cmd *cobra.Command, args []string) error {
 	return func(c *cobra.Command, args []string) error {
 		err := handler(args, c.OutOrStdout())
-		if _, ok := err.(errorShouldDisplayUsage); ok {
-			c.Help()
+		var shouldDisplayUsage errorShouldDisplayUsage
+		if errors.As(err, &shouldDisplayUsage) {
+			c.SetOut(c.ErrOrStderr()) // This mutates c, but we are failing anyway.
+			_ = c.Help()              // Even if this failed, we prefer to report the original error
 		}
 		return err
 	}
 }

+// deprecatedTLSVerifyOption represents a deprecated --tls-verify option,
+// which was accepted for all subcommands, for a time.
+// Every user should call deprecatedTLSVerifyOption.warnIfUsed() as part of handling the CLI,
+// whether or not the value actually ends up being used.
+// DO NOT ADD ANY NEW USES OF THIS; just call dockerImageFlags with an appropriate, possibly empty, flagPrefix.
+type deprecatedTLSVerifyOption struct {
+	tlsVerify commonFlag.OptionalBool // FIXME FIXME: Warn if this is used, or even if it is ignored.
+}
+
+// warnIfUsed warns if tlsVerify was set by the user, and suggests alternatives (which should
+// start with "--").
+// Every user should call this as part of handling the CLI, whether or not the value actually
+// ends up being used.
+func (opts *deprecatedTLSVerifyOption) warnIfUsed(alternatives []string) {
+	if opts.tlsVerify.Present() {
+		logrus.Warnf("'--tls-verify' is deprecated, instead use: %s", strings.Join(alternatives, ", "))
+	}
+}
+
+// deprecatedTLSVerifyFlags prepares the CLI flag writing into deprecatedTLSVerifyOption, and the managed deprecatedTLSVerifyOption structure.
+// DO NOT ADD ANY NEW USES OF THIS; just call dockerImageFlags with an appropriate, possibly empty, flagPrefix.
+func deprecatedTLSVerifyFlags() (pflag.FlagSet, *deprecatedTLSVerifyOption) {
+	opts := deprecatedTLSVerifyOption{}
+	fs := pflag.FlagSet{}
+	flag := commonFlag.OptionalBoolFlag(&fs, &opts.tlsVerify, "tls-verify", "require HTTPS and verify certificates when accessing the container registry")
+	flag.Hidden = true
+	return fs, &opts
+}
+
 // sharedImageOptions collects CLI flags which are image-related, but do not change across images.
 // This really should be a part of globalOptions, but that would break existing users of (skopeo copy --authfile=).
 type sharedImageOptions struct {
@@ -53,14 +117,17 @@ func sharedImageFlags() (pflag.FlagSet, *sharedImageOptions) {
 // the same across subcommands, but may be different for each image
 // (e.g. may differ between the source and destination of a copy)
 type dockerImageOptions struct {
-	global         *globalOptions      // May be shared across several imageOptions instances.
-	shared         *sharedImageOptions // May be shared across several imageOptions instances.
-	authFilePath   optionalString      // Path to a */containers/auth.json (prefixed version to override shared image option).
-	credsOption    optionalString      // username[:password] for accessing a registry
-	registryToken  optionalString      // token to be used directly as a Bearer token when accessing the registry
-	dockerCertPath string              // A directory using Docker-like *.{crt,cert,key} files for connecting to a registry or a daemon
-	tlsVerify      optionalBool        // Require HTTPS and verify certificates (for docker: and docker-daemon:)
-	noCreds        bool                // Access the registry anonymously
+	global              *globalOptions             // May be shared across several imageOptions instances.
+	shared              *sharedImageOptions        // May be shared across several imageOptions instances.
+	deprecatedTLSVerify *deprecatedTLSVerifyOption // May be shared across several imageOptions instances, or nil.
+	authFilePath        commonFlag.OptionalString  // Path to a */containers/auth.json (prefixed version to override shared image option).
+	credsOption         commonFlag.OptionalString  // username[:password] for accessing a registry
+	userName            commonFlag.OptionalString  // username for accessing a registry
+	password            commonFlag.OptionalString  // password for accessing a registry
+	registryToken       commonFlag.OptionalString  // token to be used directly as a Bearer token when accessing the registry
+	dockerCertPath      string                     // A directory using Docker-like *.{crt,cert,key} files for connecting to a registry or a daemon
+	tlsVerify           commonFlag.OptionalBool    // Require HTTPS and verify certificates (for docker: and docker-daemon:)
+	noCreds             bool                       // Access the registry anonymously
 }

 // imageOptions collects CLI flags which are the same across subcommands, but may be different for each image
@@ -73,36 +140,39 @@ type imageOptions struct {

 // dockerImageFlags prepares a collection of docker-transport specific CLI flags
 // writing into imageOptions, and the managed imageOptions structure.
-func dockerImageFlags(global *globalOptions, shared *sharedImageOptions, flagPrefix, credsOptionAlias string) (pflag.FlagSet, *imageOptions) {
+func dockerImageFlags(global *globalOptions, shared *sharedImageOptions, deprecatedTLSVerify *deprecatedTLSVerifyOption, flagPrefix, credsOptionAlias string) (pflag.FlagSet, *imageOptions) {
 	flags := imageOptions{
 		dockerImageOptions: dockerImageOptions{
-			global: global,
-			shared: shared,
+			global:              global,
+			shared:              shared,
+			deprecatedTLSVerify: deprecatedTLSVerify,
 		},
 	}

 	fs := pflag.FlagSet{}
 	if flagPrefix != "" {
 		// the non-prefixed flag is handled by a shared flag.
-		fs.Var(newOptionalStringValue(&flags.authFilePath), flagPrefix+"authfile", "path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json")
+		fs.Var(commonFlag.NewOptionalStringValue(&flags.authFilePath), flagPrefix+"authfile", "path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json")
 	}
-	fs.Var(newOptionalStringValue(&flags.credsOption), flagPrefix+"creds", "Use `USERNAME[:PASSWORD]` for accessing the registry")
+	fs.Var(commonFlag.NewOptionalStringValue(&flags.credsOption), flagPrefix+"creds", "Use `USERNAME[:PASSWORD]` for accessing the registry")
+	fs.Var(commonFlag.NewOptionalStringValue(&flags.userName), flagPrefix+"username", "Username for accessing the registry")
+	fs.Var(commonFlag.NewOptionalStringValue(&flags.password), flagPrefix+"password", "Password for accessing the registry")
 	if credsOptionAlias != "" {
 		// This is horribly ugly, but we need to support the old option forms of (skopeo copy) for compatibility.
 		// Don't add any more cases like this.
-		f := fs.VarPF(newOptionalStringValue(&flags.credsOption), credsOptionAlias, "", "Use `USERNAME[:PASSWORD]` for accessing the registry")
+		f := fs.VarPF(commonFlag.NewOptionalStringValue(&flags.credsOption), credsOptionAlias, "", "Use `USERNAME[:PASSWORD]` for accessing the registry")
 		f.Hidden = true
 	}
-	fs.Var(newOptionalStringValue(&flags.registryToken), flagPrefix+"registry-token", "Provide a Bearer token for accessing the registry")
+	fs.Var(commonFlag.NewOptionalStringValue(&flags.registryToken), flagPrefix+"registry-token", "Provide a Bearer token for accessing the registry")
 	fs.StringVar(&flags.dockerCertPath, flagPrefix+"cert-dir", "", "use certificates at `PATH` (*.crt, *.cert, *.key) to connect to the registry or daemon")
-	optionalBoolFlag(&fs, &flags.tlsVerify, flagPrefix+"tls-verify", "require HTTPS and verify certificates when talking to the container registry or daemon (defaults to true)")
+	commonFlag.OptionalBoolFlag(&fs, &flags.tlsVerify, flagPrefix+"tls-verify", "require HTTPS and verify certificates when talking to the container registry or daemon")
 	fs.BoolVar(&flags.noCreds, flagPrefix+"no-creds", false, "Access the registry anonymously")
 	return fs, &flags
 }

 // imageFlags prepares a collection of CLI flags writing into imageOptions, and the managed imageOptions structure.
-func imageFlags(global *globalOptions, shared *sharedImageOptions, flagPrefix, credsOptionAlias string) (pflag.FlagSet, *imageOptions) {
-	dockerFlags, opts := dockerImageFlags(global, shared, flagPrefix, credsOptionAlias)
+func imageFlags(global *globalOptions, shared *sharedImageOptions, deprecatedTLSVerify *deprecatedTLSVerifyOption, flagPrefix, credsOptionAlias string) (pflag.FlagSet, *imageOptions) {
+	dockerFlags, opts := dockerImageFlags(global, shared, deprecatedTLSVerify, flagPrefix, credsOptionAlias)

 	fs := pflag.FlagSet{}
 	fs.StringVar(&opts.sharedBlobDir, flagPrefix+"shared-blob-dir", "", "`DIRECTORY` to use to share blobs across OCI repositories")
@@ -111,14 +181,11 @@ func imageFlags(global *globalOptions, shared *sharedImageOptions, flagPrefix, c
 	return fs, opts
 }

-type retryOptions struct {
-	maxRetry int // The number of times to possibly retry
-}
-
-func retryFlags() (pflag.FlagSet, *retry.RetryOptions) {
-	opts := retry.RetryOptions{}
+func retryFlags() (pflag.FlagSet, *retry.Options) {
+	opts := retry.Options{}
 	fs := pflag.FlagSet{}
 	fs.IntVar(&opts.MaxRetry, "retry-times", 0, "the number of times to possibly retry")
+	fs.DurationVar(&opts.Delay, "retry-delay", 0*time.Second, "Fixed delay between retries. If not set, retry uses an exponential backoff delay.")
 	return fs, &opts
 }

@@ -133,27 +200,49 @@ func (opts *imageOptions) newSystemContext() (*types.SystemContext, error) {
 	ctx.AuthFilePath = opts.shared.authFilePath
 	ctx.DockerDaemonHost = opts.dockerDaemonHost
 	ctx.DockerDaemonCertPath = opts.dockerCertPath
-	if opts.dockerImageOptions.authFilePath.present {
-		ctx.AuthFilePath = opts.dockerImageOptions.authFilePath.value
+	if opts.dockerImageOptions.authFilePath.Present() {
+		ctx.AuthFilePath = opts.dockerImageOptions.authFilePath.Value()
 	}
-	if opts.tlsVerify.present {
-		ctx.DockerDaemonInsecureSkipTLSVerify = !opts.tlsVerify.value
+	if opts.deprecatedTLSVerify != nil && opts.deprecatedTLSVerify.tlsVerify.Present() {
+		// If both this deprecated option and a non-deprecated option is present, we use the latter value.
+		ctx.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.deprecatedTLSVerify.tlsVerify.Value())
 	}
-	if opts.tlsVerify.present {
-		ctx.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.tlsVerify.value)
+	if opts.tlsVerify.Present() {
+		ctx.DockerDaemonInsecureSkipTLSVerify = !opts.tlsVerify.Value()
 	}
-	if opts.credsOption.present && opts.noCreds {
+	if opts.tlsVerify.Present() {
+		ctx.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.tlsVerify.Value())
+	}
+	if opts.credsOption.Present() && opts.noCreds {
 		return nil, errors.New("creds and no-creds cannot be specified at the same time")
 	}
-	if opts.credsOption.present {
+	if opts.userName.Present() && opts.noCreds {
+		return nil, errors.New("username and no-creds cannot be specified at the same time")
+	}
+	if opts.credsOption.Present() && opts.userName.Present() {
+		return nil, errors.New("creds and username cannot be specified at the same time")
+	}
+	// if any of username or password is present, then both are expected to be present
+	if opts.userName.Present() != opts.password.Present() {
+		if opts.userName.Present() {
+			return nil, errors.New("password must be specified when username is specified")
+		}
+		return nil, errors.New("username must be specified when password is specified")
+	}
+	if opts.credsOption.Present() {
 		var err error
-		ctx.DockerAuthConfig, err = getDockerAuth(opts.credsOption.value)
+		ctx.DockerAuthConfig, err = getDockerAuth(opts.credsOption.Value())
 		if err != nil {
 			return nil, err
 		}
+	} else if opts.userName.Present() {
+		ctx.DockerAuthConfig = &types.DockerAuthConfig{
+			Username: opts.userName.Value(),
+			Password: opts.password.Value(),
+		}
 	}
-	if opts.registryToken.present {
-		ctx.DockerBearerRegistryToken = opts.registryToken.value
+	if opts.registryToken.Present() {
+		ctx.DockerBearerRegistryToken = opts.registryToken.Value()
 	}
 	if opts.noCreds {
 		ctx.DockerAuthConfig = &types.DockerAuthConfig{}
@@ -163,24 +252,30 @@ func (opts *imageOptions) newSystemContext() (*types.SystemContext, error) {
 }

 // imageDestOptions is a superset of imageOptions specialized for image destinations.
+// Every user should call imageDestOptions.warnAboutIneffectiveOptions() as part of handling the CLI
 type imageDestOptions struct {
 	*imageOptions
-	dirForceCompression         bool        // Compress layers when saving to the dir: transport
-	ociAcceptUncompressedLayers bool        // Whether to accept uncompressed layers in the oci: transport
-	compressionFormat           string      // Format to use for the compression
-	compressionLevel            optionalInt // Level to use for the compression
+	dirForceCompression         bool                   // Compress layers when saving to the dir: transport
+	dirForceDecompression       bool                   // Decompress layers when saving to the dir: transport
+	ociAcceptUncompressedLayers bool                   // Whether to accept uncompressed layers in the oci: transport
+	compressionFormat           string                 // Format to use for the compression
+	compressionLevel            commonFlag.OptionalInt // Level to use for the compression
+	precomputeDigests           bool                   // Precompute digests to dedup layers when saving to the docker: transport
+	imageDestFlagPrefix         string
 }

 // imageDestFlags prepares a collection of CLI flags writing into imageDestOptions, and the managed imageDestOptions structure.
-func imageDestFlags(global *globalOptions, shared *sharedImageOptions, flagPrefix, credsOptionAlias string) (pflag.FlagSet, *imageDestOptions) {
-	genericFlags, genericOptions := imageFlags(global, shared, flagPrefix, credsOptionAlias)
-	opts := imageDestOptions{imageOptions: genericOptions}
+func imageDestFlags(global *globalOptions, shared *sharedImageOptions, deprecatedTLSVerify *deprecatedTLSVerifyOption, flagPrefix, credsOptionAlias string) (pflag.FlagSet, *imageDestOptions) {
+	genericFlags, genericOptions := imageFlags(global, shared, deprecatedTLSVerify, flagPrefix, credsOptionAlias)
+	opts := imageDestOptions{imageOptions: genericOptions, imageDestFlagPrefix: flagPrefix}
 	fs := pflag.FlagSet{}
 	fs.AddFlagSet(&genericFlags)
 	fs.BoolVar(&opts.dirForceCompression, flagPrefix+"compress", false, "Compress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source)")
+	fs.BoolVar(&opts.dirForceDecompression, flagPrefix+"decompress", false, "Decompress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source)")
 	fs.BoolVar(&opts.ociAcceptUncompressedLayers, flagPrefix+"oci-accept-uncompressed-layers", false, "Allow uncompressed image layers when saving to an OCI image using the 'oci' transport. (default is to compress things that aren't compressed)")
 	fs.StringVar(&opts.compressionFormat, flagPrefix+"compress-format", "", "`FORMAT` to use for the compression")
-	fs.Var(newOptionalIntValue(&opts.compressionLevel), flagPrefix+"compress-level", "`LEVEL` to use for the compression")
+	fs.Var(commonFlag.NewOptionalIntValue(&opts.compressionLevel), flagPrefix+"compress-level", "`LEVEL` to use for the compression")
+	fs.BoolVar(&opts.precomputeDigests, flagPrefix+"precompute-digests", false, "Precompute digests to prevent uploading layers already on the registry using the 'docker' transport.")
 	return fs, &opts
 }

@@ -193,6 +288,7 @@ func (opts *imageDestOptions) newSystemContext() (*types.SystemContext, error) {
 	}

 	ctx.DirForceCompress = opts.dirForceCompression
+	ctx.DirForceDecompress = opts.dirForceDecompression
 	ctx.OCIAcceptUncompressedLayers = opts.ociAcceptUncompressedLayers
 	if opts.compressionFormat != "" {
 		cf, err := compression.AlgorithmByName(opts.compressionFormat)
@@ -201,24 +297,36 @@ func (opts *imageDestOptions) newSystemContext() (*types.SystemContext, error) {
 		}
 		ctx.CompressionFormat = &cf
 	}
-	if opts.compressionLevel.present {
-		ctx.CompressionLevel = &opts.compressionLevel.value
+	if opts.compressionLevel.Present() {
+		value := opts.compressionLevel.Value()
+		ctx.CompressionLevel = &value
 	}
+	ctx.DockerRegistryPushPrecomputeDigests = opts.precomputeDigests
 	return ctx, err
 }

+// warnAboutIneffectiveOptions warns if any ineffective option was set by the user
+// Every user should call this as part of handling the CLI
+func (opts *imageDestOptions) warnAboutIneffectiveOptions(destTransport types.ImageTransport) {
+	if destTransport.Name() != directory.Transport.Name() {
+		if opts.dirForceCompression {
+			logrus.Warnf("--%s can only be used if the destination transport is 'dir'", opts.imageDestFlagPrefix+"compress")
+		}
+		if opts.dirForceDecompression {
+			logrus.Warnf("--%s can only be used if the destination transport is 'dir'", opts.imageDestFlagPrefix+"decompress")
+		}
+	}
+}
+
 func parseCreds(creds string) (string, string, error) {
 	if creds == "" {
 		return "", "", errors.New("credentials can't be empty")
 	}
-	up := strings.SplitN(creds, ":", 2)
-	if len(up) == 1 {
-		return up[0], "", nil
-	}
-	if up[0] == "" {
+	username, password, _ := strings.Cut(creds, ":") // Sets password to "" if there is no ":"
+	if username == "" {
 		return "", "", errors.New("username can't be empty")
 	}
-	return up[0], up[1], nil
+	return username, password, nil
 }

 func getDockerAuth(creds string) (*types.DockerAuthConfig, error) {
@@ -246,6 +354,21 @@ func parseImageSource(ctx context.Context, opts *imageOptions, name string) (typ
 	return ref.NewImageSource(ctx, sys)
 }

+// parseManifestFormat parses format parameter for copy and sync command.
+// It returns string value to use as manifest MIME type
+func parseManifestFormat(manifestFormat string) (string, error) {
+	switch manifestFormat {
+	case "oci":
+		return imgspecv1.MediaTypeImageManifest, nil
+	case "v2s1":
+		return manifest.DockerV2Schema1SignedMediaType, nil
+	case "v2s2":
+		return manifest.DockerV2Schema2MediaType, nil
+	default:
+		return "", fmt.Errorf("unknown format %q. Choose one of the supported formats: 'oci', 'v2s1', or 'v2s2'", manifestFormat)
+	}
+}
+
 // usageTemplate returns the usage template for skopeo commands
 // This blocks the displaying of the global options. The main skopeo
 // command should not use this.
@@ -274,3 +397,39 @@ func adjustUsage(c *cobra.Command) {
 	c.SetUsageTemplate(usageTemplate)
 	c.DisableFlagsInUseLine = true
 }
+
+// promptForPassphrase interactively prompts for a passphrase related to privateKeyFile
+func promptForPassphrase(privateKeyFile string, stdin, stdout *os.File) (string, error) {
+	stdinFd := int(stdin.Fd())
+	if !term.IsTerminal(stdinFd) {
+		return "", fmt.Errorf("Cannot prompt for a passphrase for key %s, standard input is not a TTY", privateKeyFile)
+	}
+
+	fmt.Fprintf(stdout, "Passphrase for key %s: ", privateKeyFile)
+	passphrase, err := term.ReadPassword(stdinFd)
+	if err != nil {
+		return "", fmt.Errorf("Error reading password: %w", err)
+	}
+	fmt.Fprintf(stdout, "\n")
+	return string(passphrase), nil
+}
+
+// isNotFoundImageError heuristically attempts to determine whether an error
+// is saying the remote source couldn't find the image (as opposed to an
+// authentication error, an I/O error etc.)
+// TODO drive this into containers/image properly
+func isNotFoundImageError(err error) bool {
+	return isDockerManifestUnknownError(err) ||
+		errors.Is(err, storage.ErrNoSuchImage) ||
+		errors.Is(err, ocilayout.ImageNotFoundError{})
+}
+
+// isDockerManifestUnknownError is a copy of code from containers/image,
+// please update there first.
+func isDockerManifestUnknownError(err error) bool {
+	var ec dockerdistributionerrcode.ErrorCoder
+	if !errors.As(err, &ec) {
+		return false
+	}
+	return ec.ErrorCode() == dockerdistributionapi.ErrorCodeManifestUnknown
+}
--- a/cmd/skopeo/utils_test.go
+++ b/cmd/skopeo/utils_test.go
@@ -1,31 +1,64 @@
 package main

 import (
-	"os"
+	"errors"
 	"testing"

+	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/types"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

+func TestNoteCloseFailure(t *testing.T) {
+	const description = "description"
+
+	mainErr := errors.New("main")
+	closeErr := errors.New("closing")
+
+	// Main success, closing failed
+	res := noteCloseFailure(nil, description, closeErr)
+	require.NotNil(t, res)
+	assert.Contains(t, res.Error(), description)
+	assert.Contains(t, res.Error(), closeErr.Error())
+
+	// Both main and closing failed
+	res = noteCloseFailure(mainErr, description, closeErr)
+	require.NotNil(t, res)
+	assert.Contains(t, res.Error(), mainErr.Error())
+	assert.Contains(t, res.Error(), description)
+	assert.Contains(t, res.Error(), closeErr.Error())
+	assert.ErrorIs(t, res, mainErr)
+}
+
 // fakeGlobalOptions creates globalOptions and sets it according to flags.
 func fakeGlobalOptions(t *testing.T, flags []string) (*globalOptions, *cobra.Command) {
 	app, opts := createApp()
 	cmd := &cobra.Command{}
 	app.AddCommand(cmd)
-	err := cmd.ParseFlags(flags)
+	err := app.ParseFlags(flags)
 	require.NoError(t, err)
 	return opts, cmd
 }

 // fakeImageOptions creates imageOptions and sets it according to globalFlags/cmdFlags.
-func fakeImageOptions(t *testing.T, flagPrefix string, globalFlags []string, cmdFlags []string) *imageOptions {
+func fakeImageOptions(t *testing.T, flagPrefix string, useDeprecatedTLSVerify bool,
+	globalFlags []string, cmdFlags []string) *imageOptions {
 	globalOpts, cmd := fakeGlobalOptions(t, globalFlags)
 	sharedFlags, sharedOpts := sharedImageFlags()
-	imageFlags, imageOpts := imageFlags(globalOpts, sharedOpts, flagPrefix, "")
+	var deprecatedTLSVerifyFlag pflag.FlagSet
+	var deprecatedTLSVerifyOpt *deprecatedTLSVerifyOption
+	if useDeprecatedTLSVerify {
+		deprecatedTLSVerifyFlag, deprecatedTLSVerifyOpt = deprecatedTLSVerifyFlags()
+	}
+	imageFlags, imageOpts := imageFlags(globalOpts, sharedOpts, deprecatedTLSVerifyOpt, flagPrefix, "")
 	cmd.Flags().AddFlagSet(&sharedFlags)
+	if useDeprecatedTLSVerify {
+		cmd.Flags().AddFlagSet(&deprecatedTLSVerifyFlag)
+	}
 	cmd.Flags().AddFlagSet(&imageFlags)
 	err := cmd.ParseFlags(cmdFlags)
 	require.NoError(t, err)
@@ -34,13 +67,15 @@ func fakeImageOptions(t *testing.T, flagPrefix string, globalFlags []string, cmd

 func TestImageOptionsNewSystemContext(t *testing.T) {
 	// Default state
-	opts := fakeImageOptions(t, "dest-", []string{}, []string{})
+	opts := fakeImageOptions(t, "dest-", true, []string{}, []string{})
 	res, err := opts.newSystemContext()
 	require.NoError(t, err)
-	assert.Equal(t, &types.SystemContext{}, res)
+	assert.Equal(t, &types.SystemContext{
+		DockerRegistryUserAgent: defaultUserAgent,
+	}, res)

 	// Set everything to non-default values.
-	opts = fakeImageOptions(t, "dest-", []string{
+	opts = fakeImageOptions(t, "dest-", true, []string{
 		"--registries.d", "/srv/registries.d",
 		"--override-arch", "overridden-arch",
 		"--override-os", "overridden-os",
@@ -72,52 +107,33 @@ func TestImageOptionsNewSystemContext(t *testing.T) {
 		DockerDaemonCertPath:              "/srv/cert-dir",
 		DockerDaemonHost:                  "daemon-host.example.com",
 		DockerDaemonInsecureSkipTLSVerify: true,
+		DockerRegistryUserAgent:           defaultUserAgent,
 		BigFilesTemporaryDir:              "/srv",
 	}, res)

-	// Global/per-command tlsVerify behavior
-	for _, c := range []struct {
-		global, cmd          string
-		expectedDocker       types.OptionalBool
-		expectedDockerDaemon bool
-	}{
-		{"", "", types.OptionalBoolUndefined, false},
-		{"", "false", types.OptionalBoolTrue, true},
-		{"", "true", types.OptionalBoolFalse, false},
-		{"false", "", types.OptionalBoolTrue, false},
-		{"false", "false", types.OptionalBoolTrue, true},
-		{"false", "true", types.OptionalBoolFalse, false},
-		{"true", "", types.OptionalBoolFalse, false},
-		{"true", "false", types.OptionalBoolTrue, true},
-		{"true", "true", types.OptionalBoolFalse, false},
-	} {
-		globalFlags := []string{}
-		if c.global != "" {
-			globalFlags = append(globalFlags, "--tls-verify="+c.global)
-		}
-		cmdFlags := []string{}
-		if c.cmd != "" {
-			cmdFlags = append(cmdFlags, "--dest-tls-verify="+c.cmd)
-		}
-		opts := fakeImageOptions(t, "dest-", globalFlags, cmdFlags)
-		res, err = opts.newSystemContext()
-		require.NoError(t, err)
-		assert.Equal(t, c.expectedDocker, res.DockerInsecureSkipTLSVerify, "%#v", c)
-		assert.Equal(t, c.expectedDockerDaemon, res.DockerDaemonInsecureSkipTLSVerify, "%#v", c)
-	}
+	// Global/per-command tlsVerify behavior is tested in TestTLSVerifyFlags.

 	// Invalid option values
-	opts = fakeImageOptions(t, "dest-", []string{}, []string{"--dest-creds", ""})
+	opts = fakeImageOptions(t, "dest-", true, []string{}, []string{"--dest-creds", ""})
 	_, err = opts.newSystemContext()
 	assert.Error(t, err)
 }

 // fakeImageDestOptions creates imageDestOptions and sets it according to globalFlags/cmdFlags.
-func fakeImageDestOptions(t *testing.T, flagPrefix string, globalFlags []string, cmdFlags []string) *imageDestOptions {
+func fakeImageDestOptions(t *testing.T, flagPrefix string, useDeprecatedTLSVerify bool,
+	globalFlags []string, cmdFlags []string) *imageDestOptions {
 	globalOpts, cmd := fakeGlobalOptions(t, globalFlags)
 	sharedFlags, sharedOpts := sharedImageFlags()
-	imageFlags, imageOpts := imageDestFlags(globalOpts, sharedOpts, flagPrefix, "")
+	var deprecatedTLSVerifyFlag pflag.FlagSet
+	var deprecatedTLSVerifyOpt *deprecatedTLSVerifyOption
+	if useDeprecatedTLSVerify {
+		deprecatedTLSVerifyFlag, deprecatedTLSVerifyOpt = deprecatedTLSVerifyFlags()
+	}
+	imageFlags, imageOpts := imageDestFlags(globalOpts, sharedOpts, deprecatedTLSVerifyOpt, flagPrefix, "")
 	cmd.Flags().AddFlagSet(&sharedFlags)
+	if useDeprecatedTLSVerify {
+		cmd.Flags().AddFlagSet(&deprecatedTLSVerifyFlag)
+	}
 	cmd.Flags().AddFlagSet(&imageFlags)
 	err := cmd.ParseFlags(cmdFlags)
 	require.NoError(t, err)
@@ -126,33 +142,30 @@ func fakeImageDestOptions(t *testing.T, flagPrefix string, globalFlags []string,

 func TestImageDestOptionsNewSystemContext(t *testing.T) {
 	// Default state
-	opts := fakeImageDestOptions(t, "dest-", []string{}, []string{})
+	opts := fakeImageDestOptions(t, "dest-", true, []string{}, []string{})
 	res, err := opts.newSystemContext()
 	require.NoError(t, err)
-	assert.Equal(t, &types.SystemContext{}, res)
+	assert.Equal(t, &types.SystemContext{
+		DockerRegistryUserAgent: defaultUserAgent,
+	}, res)

-	oldXRD, hasXRD := os.LookupEnv("REGISTRY_AUTH_FILE")
-	defer func() {
-		if hasXRD {
-			os.Setenv("REGISTRY_AUTH_FILE", oldXRD)
-		} else {
-			os.Unsetenv("REGISTRY_AUTH_FILE")
-		}
-	}()
 	authFile := "/tmp/auth.json"
 	// Make sure when REGISTRY_AUTH_FILE is set the auth file is used
-	os.Setenv("REGISTRY_AUTH_FILE", authFile)
+	t.Setenv("REGISTRY_AUTH_FILE", authFile)

 	// Explicitly set everything to default, except for when the default is “not present”
-	opts = fakeImageDestOptions(t, "dest-", []string{}, []string{
+	opts = fakeImageDestOptions(t, "dest-", true, []string{}, []string{
 		"--dest-compress=false",
 	})
 	res, err = opts.newSystemContext()
 	require.NoError(t, err)
-	assert.Equal(t, &types.SystemContext{AuthFilePath: authFile}, res)
+	assert.Equal(t, &types.SystemContext{
+		AuthFilePath:            authFile,
+		DockerRegistryUserAgent: defaultUserAgent,
+	}, res)

 	// Set everything to non-default values.
-	opts = fakeImageDestOptions(t, "dest-", []string{
+	opts = fakeImageDestOptions(t, "dest-", true, []string{
 		"--registries.d", "/srv/registries.d",
 		"--override-arch", "overridden-arch",
 		"--override-os", "overridden-os",
@@ -167,37 +180,211 @@ func TestImageDestOptionsNewSystemContext(t *testing.T) {
 		"--dest-tls-verify=false",
 		"--dest-creds", "creds-user:creds-password",
 		"--dest-registry-token", "faketoken",
+		"--dest-precompute-digests=true",
 	})
 	res, err = opts.newSystemContext()
 	require.NoError(t, err)
 	assert.Equal(t, &types.SystemContext{
-		RegistriesDirPath:                 "/srv/registries.d",
-		AuthFilePath:                      "/srv/authfile",
-		ArchitectureChoice:                "overridden-arch",
-		OSChoice:                          "overridden-os",
-		VariantChoice:                     "overridden-variant",
-		OCISharedBlobDirPath:              "/srv/shared-blob-dir",
-		DockerCertPath:                    "/srv/cert-dir",
-		DockerInsecureSkipTLSVerify:       types.OptionalBoolTrue,
-		DockerAuthConfig:                  &types.DockerAuthConfig{Username: "creds-user", Password: "creds-password"},
-		DockerBearerRegistryToken:         "faketoken",
-		DockerDaemonCertPath:              "/srv/cert-dir",
-		DockerDaemonHost:                  "daemon-host.example.com",
-		DockerDaemonInsecureSkipTLSVerify: true,
-		DirForceCompress:                  true,
-		BigFilesTemporaryDir:              "/srv",
+		RegistriesDirPath:                   "/srv/registries.d",
+		AuthFilePath:                        "/srv/authfile",
+		ArchitectureChoice:                  "overridden-arch",
+		OSChoice:                            "overridden-os",
+		VariantChoice:                       "overridden-variant",
+		OCISharedBlobDirPath:                "/srv/shared-blob-dir",
+		DockerCertPath:                      "/srv/cert-dir",
+		DockerInsecureSkipTLSVerify:         types.OptionalBoolTrue,
+		DockerAuthConfig:                    &types.DockerAuthConfig{Username: "creds-user", Password: "creds-password"},
+		DockerBearerRegistryToken:           "faketoken",
+		DockerDaemonCertPath:                "/srv/cert-dir",
+		DockerDaemonHost:                    "daemon-host.example.com",
+		DockerDaemonInsecureSkipTLSVerify:   true,
+		DockerRegistryUserAgent:             defaultUserAgent,
+		DirForceCompress:                    true,
+		BigFilesTemporaryDir:                "/srv",
+		DockerRegistryPushPrecomputeDigests: true,
 	}, res)

+	// Global/per-command tlsVerify behavior is tested in TestTLSVerifyFlags.
+
 	// Invalid option values in imageOptions
-	opts = fakeImageDestOptions(t, "dest-", []string{}, []string{"--dest-creds", ""})
+	opts = fakeImageDestOptions(t, "dest-", true, []string{}, []string{"--dest-creds", ""})
 	_, err = opts.newSystemContext()
 	assert.Error(t, err)
 }

+// TestImageOptionsUsernamePassword verifies that using the username and password
+// options works as expected
+func TestImageOptionsUsernamePassword(t *testing.T) {
+	for _, command := range []struct {
+		commandArgs        []string
+		expectedAuthConfig *types.DockerAuthConfig // data to expect, or nil if an error is expected
+	}{
+		// Set only username/password (without --creds), expected to pass
+		{
+			commandArgs:        []string{"--dest-username", "foo", "--dest-password", "bar"},
+			expectedAuthConfig: &types.DockerAuthConfig{Username: "foo", Password: "bar"},
+		},
+		// no username but set password, expect error
+		{
+			commandArgs:        []string{"--dest-password", "foo"},
+			expectedAuthConfig: nil,
+		},
+		// set username but no password. expected to fail (we currently don't allow a user without password)
+		{
+			commandArgs:        []string{"--dest-username", "bar"},
+			expectedAuthConfig: nil,
+		},
+		// set username with --creds, expected to fail
+		{
+			commandArgs:        []string{"--dest-username", "bar", "--dest-creds", "hello:world", "--dest-password", "foo"},
+			expectedAuthConfig: nil,
+		},
+		// set username with --no-creds, expected to fail
+		{
+			commandArgs:        []string{"--dest-username", "bar", "--dest-no-creds", "--dest-password", "foo"},
+			expectedAuthConfig: nil,
+		},
+	} {
+		opts := fakeImageDestOptions(t, "dest-", true, []string{}, command.commandArgs)
+		// parse the command options
+		res, err := opts.newSystemContext()
+		if command.expectedAuthConfig == nil {
+			assert.Error(t, err)
+		} else {
+			require.NoError(t, err)
+			assert.Equal(t, &types.SystemContext{
+				DockerRegistryUserAgent: defaultUserAgent,
+				DockerAuthConfig:        command.expectedAuthConfig,
+			}, res)
+		}
+	}
+}
+
+func TestTLSVerifyFlags(t *testing.T) {
+	type systemContextOpts interface { // Either *imageOptions or *imageDestOptions
+		newSystemContext() (*types.SystemContext, error)
+	}
+
+	for _, creator := range []struct {
+		name    string
+		newOpts func(useDeprecatedTLSVerify bool, globalFlags, cmdFlags []string) systemContextOpts
+	}{
+		{
+			"imageFlags",
+			func(useDeprecatedTLSVerify bool, globalFlags, cmdFlags []string) systemContextOpts {
+				return fakeImageOptions(t, "dest-", useDeprecatedTLSVerify, globalFlags, cmdFlags)
+			},
+		},
+		{
+			"imageDestFlags",
+			func(useDeprecatedTLSVerify bool, globalFlags, cmdFlags []string) systemContextOpts {
+				return fakeImageDestOptions(t, "dest-", useDeprecatedTLSVerify, globalFlags, cmdFlags)
+			},
+		},
+	} {
+		t.Run(creator.name, func(t *testing.T) {
+			for _, c := range []struct {
+				global, deprecatedCmd, cmd string
+				expectedDocker             types.OptionalBool
+				expectedDockerDaemon       bool
+			}{
+				{"", "", "", types.OptionalBoolUndefined, false},
+				{"", "", "false", types.OptionalBoolTrue, true},
+				{"", "", "true", types.OptionalBoolFalse, false},
+				{"", "false", "", types.OptionalBoolTrue, false},
+				{"", "false", "false", types.OptionalBoolTrue, true},
+				{"", "false", "true", types.OptionalBoolFalse, false},
+				{"", "true", "", types.OptionalBoolFalse, false},
+				{"", "true", "false", types.OptionalBoolTrue, true},
+				{"", "true", "true", types.OptionalBoolFalse, false},
+				{"false", "", "", types.OptionalBoolTrue, false},
+				{"false", "", "false", types.OptionalBoolTrue, true},
+				{"false", "", "true", types.OptionalBoolFalse, false},
+				{"false", "false", "", types.OptionalBoolTrue, false},
+				{"false", "false", "false", types.OptionalBoolTrue, true},
+				{"false", "false", "true", types.OptionalBoolFalse, false},
+				{"false", "true", "", types.OptionalBoolFalse, false},
+				{"false", "true", "false", types.OptionalBoolTrue, true},
+				{"false", "true", "true", types.OptionalBoolFalse, false},
+				{"true", "", "", types.OptionalBoolFalse, false},
+				{"true", "", "false", types.OptionalBoolTrue, true},
+				{"true", "", "true", types.OptionalBoolFalse, false},
+				{"true", "false", "", types.OptionalBoolTrue, false},
+				{"true", "false", "false", types.OptionalBoolTrue, true},
+				{"true", "false", "true", types.OptionalBoolFalse, false},
+				{"true", "true", "", types.OptionalBoolFalse, false},
+				{"true", "true", "false", types.OptionalBoolTrue, true},
+				{"true", "true", "true", types.OptionalBoolFalse, false},
+			} {
+				globalFlags := []string{}
+				if c.global != "" {
+					globalFlags = append(globalFlags, "--tls-verify="+c.global)
+				}
+				cmdFlags := []string{}
+				if c.deprecatedCmd != "" {
+					cmdFlags = append(cmdFlags, "--tls-verify="+c.deprecatedCmd)
+				}
+				if c.cmd != "" {
+					cmdFlags = append(cmdFlags, "--dest-tls-verify="+c.cmd)
+				}
+				opts := creator.newOpts(true, globalFlags, cmdFlags)
+				res, err := opts.newSystemContext()
+				require.NoError(t, err)
+				assert.Equal(t, c.expectedDocker, res.DockerInsecureSkipTLSVerify, "%#v", c)
+				assert.Equal(t, c.expectedDockerDaemon, res.DockerDaemonInsecureSkipTLSVerify, "%#v", c)
+
+				if c.deprecatedCmd == "" { // Test also the behavior when deprecatedTLSFlag is not recognized
+					// Use globalFlags from the previous test
+					cmdFlags := []string{}
+					if c.cmd != "" {
+						cmdFlags = append(cmdFlags, "--dest-tls-verify="+c.cmd)
+					}
+					opts := creator.newOpts(false, globalFlags, cmdFlags)
+					res, err = opts.newSystemContext()
+					require.NoError(t, err)
+					assert.Equal(t, c.expectedDocker, res.DockerInsecureSkipTLSVerify, "%#v", c)
+					assert.Equal(t, c.expectedDockerDaemon, res.DockerDaemonInsecureSkipTLSVerify, "%#v", c)
+				}
+			}
+		})
+	}
+}
+
+func TestParseManifestFormat(t *testing.T) {
+	for _, testCase := range []struct {
+		formatParam          string
+		expectedManifestType string
+		expectErr            bool
+	}{
+		{"oci",
+			imgspecv1.MediaTypeImageManifest,
+			false},
+		{"v2s1",
+			manifest.DockerV2Schema1SignedMediaType,
+			false},
+		{"v2s2",
+			manifest.DockerV2Schema2MediaType,
+			false},
+		{"",
+			"",
+			true},
+		{"badValue",
+			"",
+			true},
+	} {
+		manifestType, err := parseManifestFormat(testCase.formatParam)
+		if testCase.expectErr {
+			require.Error(t, err)
+		} else {
+			require.NoError(t, err)
+		}
+		assert.Equal(t, manifestType, testCase.expectedManifestType)
+	}
+}
+
 // since there is a shared authfile image option and a non-shared (prefixed) one, make sure the override logic
 // works correctly.
 func TestImageOptionsAuthfileOverride(t *testing.T) {
-
 	for _, testCase := range []struct {
 		flagPrefix           string
 		cmdFlags             []string
@@ -228,12 +415,13 @@ func TestImageOptionsAuthfileOverride(t *testing.T) {
 			}, "/srv/dest-authfile",
 		},
 	} {
-		opts := fakeImageOptions(t, testCase.flagPrefix, []string{}, testCase.cmdFlags)
+		opts := fakeImageOptions(t, testCase.flagPrefix, false, []string{}, testCase.cmdFlags)
 		res, err := opts.newSystemContext()
 		require.NoError(t, err)

 		assert.Equal(t, &types.SystemContext{
-			AuthFilePath: testCase.expectedAuthfilePath,
+			AuthFilePath:            testCase.expectedAuthfilePath,
+			DockerRegistryUserAgent: defaultUserAgent,
 		}, res)
 	}
 }
--- a/completions/bash/skopeo
+++ b/completions/bash/skopeo
@@ -1,279 +0,0 @@
-#! /bin/bash
-
-_complete_() {
-    local options_with_args=$1
-    local boolean_options="$2 -h --help"
-    local transports=$3
-
-    local option_with_args
-    for option_with_args in $options_with_args $transports
-    do
-        if [ "$option_with_args" == "$prev" ] || [ "$option_with_args" == "$cur" ]
-        then
-            return
-        fi
-    done
-
-    case "$cur" in
-        -*)
-            while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "$boolean_options $options_with_args" -- "$cur")
-            ;;
-        *)
-            if [ -n "$transports" ]
-            then
-                compopt -o nospace
-                while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "$transports" -- "$cur")
-            fi
-            ;;
-    esac
-}
-
-_skopeo_supported_transports() {
-    local subcommand=$1
-
-    skopeo "$subcommand" --help | grep "Supported transports" -A 1 | tail -n 1 | sed -e 's/,/:/g' -e 's/$/:/'
-}
-
-_skopeo_copy() {
-    local options_with_args="
-    --authfile
-    --src-authfile
-    --dest-authfile
-    --format -f
-    --sign-by
-    --src-creds --screds
-    --src-cert-dir
-    --src-tls-verify
-    --dest-creds --dcreds
-    --dest-cert-dir
-    --dest-tls-verify
-    --src-daemon-host
-    --dest-daemon-host
-    --src-registry-token
-    --dest-registry-token
-    "
-
-    local boolean_options="
-    --all
-    --dest-compress
-    --remove-signatures
-    --src-no-creds
-    --dest-no-creds
-    --dest-oci-accept-uncompressed-layers
-    "
-
-    local transports
-    transports="
-    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
-    "
-
-    _complete_ "$options_with_args" "$boolean_options" "$transports"
-}
-
-_skopeo_inspect() {
-     local options_with_args="
-     --authfile
-     --creds
-     --cert-dir
-     --format
-     --retry-times
-     --registry-token
-     "
-     local boolean_options="
-     --config
-     --raw
-     --tls-verify
-     --no-creds
-    "
-
-    local transports
-    transports="
-    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
-    "
-
-    _complete_ "$options_with_args" "$boolean_options" "$transports"
-}
-
-_skopeo_standalone_sign() {
-     local options_with_args="
-       -o --output
-     "
-     local boolean_options="
-     "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_standalone_verify() {
-     local options_with_args="
-     "
-     local boolean_options="
-     "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_manifest_digest() {
-     local options_with_args="
-     "
-     local boolean_options="
-     "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_delete() {
-     local options_with_args="
-     --authfile
-     --creds
-     --cert-dir
-     --registry-token
-     "
-     local boolean_options="
-     --tls-verify
-     --no-creds
-     "
-
-    local transports
-    transports="
-    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
-    "
-
-    _complete_ "$options_with_args" "$boolean_options" "$transports"
-}
-
-_skopeo_layers() {
-     local options_with_args="
-       --authfile
-       --creds
-       --cert-dir
-       --registry-token
-     "
-     local boolean_options="
-       --tls-verify
-       --no-creds
-     "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_list_repository_tags() {
-     local options_with_args="
-     --authfile
-     --creds
-     --cert-dir
-     --registry-token
-     "
-
-     local boolean_options="
-     --tls-verify
-     --no-creds
-     "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_login() {
-    local options_with_args="
-    --authfile
-    --cert-dir
-    --password -p
-    --username -u
-    "
-
-    local boolean_options="
-    --get-login
-    --tls-verify
-    --password-stdin
-    "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_logout() {
-    local options_with_args="
-    --authfile
-    "
-
-    local boolean_options="
-    --all -a
-    "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_skopeo() {
-     # XXX: Changes here need to be reflected in the manually expanded
-     # string in the `case` statement below as well.
-     local options_with_args="
-       --policy
-       --registries.d
-       --override-arch
-       --override-os
-       --override-variant
-       --command-timeout
-       --tmpdir
-     "
-     local boolean_options="
-       --insecure-policy
-       --debug
-       --version -v
-       --help -h
-     "
-
-     local commands=(
-       copy
-       delete
-       inspect
-       list-tags
-       login
-       logout
-       manifest-digest
-       standalone-sign
-       standalone-verify
-       sync
-       help
-       h
-     )
-
-     case "$prev" in
-         # XXX: Changes here need to be reflected in $options_with_args as well.
-         --policy|--registries.d|--override-arch|--override-os|--override-variant|--command-timeout)
-             return
-             ;;
-     esac
-
-     case "$cur" in
-         -*)
-             while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "$boolean_options $options_with_args" -- "$cur")
-             ;;
-         *)
-             while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "${commands[*]} help" -- "$cur")
-             ;;
-     esac
-}
-
-_cli_bash_autocomplete() {
-     local cur
-
-     COMPREPLY=()
-     cur="${COMP_WORDS[COMP_CWORD]}"
-     COMPREPLY=()
-     local cur prev words cword
-
-     _get_comp_words_by_ref -n : cur prev words cword
-
-     local command="skopeo" cpos=0
-     local counter=1
-     while [ $counter -lt "$cword" ]; do
-         case "${words[$counter]}" in
-             skopeo|copy|inspect|delete|manifest-digest|standalone-sign|standalone-verify|help|h|list-repository-tags)
-                 command="${words[$counter]//-/_}"
-                 cpos=$counter
-                 (( cpos++ ))
-                 break
-                 ;;
-         esac
-         (( counter++ ))
-     done
-
-     local completions_func=_skopeo_${command}
-     declare -F "$completions_func" >/dev/null && $completions_func
-
-     return 0
-}
-
- complete -F _cli_bash_autocomplete skopeo
--- a/contrib/cirrus/mac_cleanup.sh
+++ b/contrib/cirrus/mac_cleanup.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# This script is intended to be called by Cirrus-CI on a Mac M1 persistent worker.
+# It performs a best-effort attempt at cleaning up from one task execution to the next.
+# Since it run both before and after tasks, it must exit cleanly if there was a cleanup
+# failure (i.e. file or directory not found).
+
+# Help anybody debugging side-effects, since failures are ignored (by necessity).
+set +e -x
+
+# These are the main processes which could leak out of testing.
+killall podman vfkit gvproxy make go ginkgo
+
+mkdir -p $TMPDIR
+
+# Golang will leave behind lots of read-only bits, ref:
+# https://go.dev/ref/mod#module-cache
+# However other tools/scripts could also set things read-only.
+# At this point in CI, we really want all this stuff gone-gone,
+# so there's actually zero-chance it can interfere.
+chmod -R u+w $TMPDIR/* $TMPDIR/.??*
+
+# This is defined as $TMPDIR during setup.  Name must be kept
+# "short" as sockets may reside here.  Darwin suffers from
+# the same limited socket-pathname character-length restriction
+# as Linux.
+rm -rf $TMPDIR/* $TMPDIR/.??*
+
+# Don't change or clobber anything under $CIRRUS_WORKING_DIR for
+# the currently running task.  But make sure we have write permission
+# (go get sets dependencies ro) for everything else, before removing it.
+# First make everything writeable - see the "Golang will..." comment above.
+# shellcheck disable=SC2154
+find "$HOME/ci" -mindepth 1 -maxdepth 1 \
+    -not -name "*task-${CIRRUS_TASK_ID}*" -prune -exec chmod -R u+w '{}' +
+find "$HOME/ci" -mindepth 1 -maxdepth 1 \
+    -not -name "*task-${CIRRUS_TASK_ID}*" -prune -exec rm -rf '{}' +
+
+# Bash scripts exit with the status of the last command.
+true
--- a/contrib/cirrus/ostree_ext.dockerfile
+++ b/contrib/cirrus/ostree_ext.dockerfile
@@ -0,0 +1,15 @@
+ARG BASE_FQIN=quay.io/coreos-assembler/fcos-buildroot:testing-devel
+FROM $BASE_FQIN
+
+# See 'Danger of using COPY and ADD instructions'
+# at https://cirrus-ci.org/guide/docker-builder-vm/#dockerfile-as-a-ci-environment
+# Provide easy way to force-invalidate image cache by .cirrus.yml change
+ARG CIRRUS_IMAGE_VERSION
+ENV CIRRUS_IMAGE_VERSION=$CIRRUS_IMAGE_VERSION
+ADD https://sh.rustup.rs /var/tmp/rustup_installer.sh
+
+RUN dnf remove -y rust && \
+    chmod +x /var/tmp/rustup_installer.sh && \
+    /var/tmp/rustup_installer.sh -y --default-toolchain stable --profile minimal
+
+ENV PATH=/root/.cargo/bin:/root/.local/bin:/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
--- a/contrib/cirrus/runner.sh
+++ b/contrib/cirrus/runner.sh
@@ -0,0 +1,143 @@
+#!/bin/bash
+
+# This script is intended to be executed by automation or humans
+# under a hack/get_ci_vm.sh context.  Use under any other circumstances
+# is unlikely to function.
+
+set -e
+
+# BEGIN Global export of all variables
+set -a
+
+# Due to differences across platforms and runtime execution environments,
+# handling of the (otherwise) default shell setup is non-uniform.  Rather
+# than attempt to workaround differences, simply force-load/set required
+# items every time this library is utilized.
+USER="$(whoami)"
+HOME="$(getent passwd $USER | cut -d : -f 6)"
+# Some platforms set and make this read-only
+[[ -n "$UID" ]] || \
+    UID=$(getent passwd $USER | cut -d : -f 3)
+
+if [[ -r "/etc/automation_environment" ]]; then
+    source /etc/automation_environment
+    source $AUTOMATION_LIB_PATH/common_lib.sh
+else
+    (
+    echo "WARNING: It does not appear that containers/automation was installed."
+    echo "         Functionality of most of ${BASH_SOURCE[0]} will be negatively"
+    echo "         impacted."
+    ) > /dev/stderr
+fi
+
+# This is the magic interpreted by the tests to allow modifying local config/services.
+SKOPEO_CONTAINER_TESTS=1
+
+PATH=$PATH:$GOPATH/bin
+
+# END Global export of all variables
+set +a
+
+
+_run_setup() {
+    local mnt
+    local errmsg
+    req_env_vars SKOPEO_CIDEV_CONTAINER_FQIN
+    if [[ "$OS_RELEASE_ID" != "fedora" ]]; then
+        die "Unknown/unsupported distro. $OS_REL_VER"
+    fi
+
+    if [[ -r "/.ci_setup_complete" ]]; then
+        warn "Thwarted an attempt to execute setup more than once."
+        return
+    fi
+
+    # VM's come with the distro. skopeo package pre-installed
+    dnf remove -y skopeo
+
+    msg "Removing systemd-resolved from nsswitch.conf"
+    # /etc/resolv.conf is already set to bypass systemd-resolvd
+    sed -i -r -e 's/^(hosts.+)resolve.+dns/\1dns/' /etc/nsswitch.conf
+
+    # A slew of compiled binaries are pre-built and distributed
+    # within the CI/Dev container image, but we want to run
+    # things directly on the host VM.  Fortunately they're all
+    # located in the container under /usr/local/bin
+    msg "Accessing contents of $SKOPEO_CIDEV_CONTAINER_FQIN"
+    podman pull --quiet $SKOPEO_CIDEV_CONTAINER_FQIN
+    mnt=$(podman mount $(podman create $SKOPEO_CIDEV_CONTAINER_FQIN))
+
+    # The container and VM images are built in tandem in the same repo.
+    # automation, but the sources are in different directories.  It's
+    # possible for a mismatch to happen, but should (hopefully) be unlikely.
+    # Double-check to make sure.
+    if ! fgrep -qx "ID=$OS_RELEASE_ID" $mnt/etc/os-release || \
+       ! fgrep -qx "VERSION_ID=$OS_RELEASE_VER" $mnt/etc/os-release; then
+            die "Somehow $SKOPEO_CIDEV_CONTAINER_FQIN is not based on $OS_REL_VER."
+    fi
+    msg "Copying test binaries from $SKOPEO_CIDEV_CONTAINER_FQIN /usr/local/bin/"
+    cp -a "$mnt/usr/local/bin/"* "/usr/local/bin/"
+    msg "Configuring the openshift registry"
+
+    # TODO: Put directory & yaml into more sensible place + update integration tests
+    mkdir -vp /registry
+    cp -a "$mnt/atomic-registry-config.yml" /
+
+    msg "Cleaning up"
+    podman umount --latest
+    podman rm --latest
+
+    # Ensure setup can only run once
+    touch "/.ci_setup_complete"
+}
+
+_run_vendor() {
+    make vendor BUILDTAGS="$BUILDTAGS"
+}
+
+_run_build() {
+    make bin/skopeo BUILDTAGS="$BUILDTAGS"
+    make install PREFIX=/usr/local
+}
+
+_run_cross() {
+    make local-cross BUILDTAGS="$BUILDTAGS"
+}
+
+_run_doccheck() {
+    make validate-docs BUILDTAGS="$BUILDTAGS"
+}
+
+_run_unit() {
+    make test-unit-local BUILDTAGS="$BUILDTAGS"
+}
+
+_podman_reset() {
+    # Ensure we start with a clean-slate
+    showrun podman system reset --force
+}
+
+_run_integration() {
+    _podman_reset
+    make test-integration-local BUILDTAGS="$BUILDTAGS"
+}
+
+_run_system() {
+    _podman_reset
+    ##### Note: Test MODIFIES THE HOST SETUP #####
+    make test-system-local BUILDTAGS="$BUILDTAGS"
+}
+
+req_env_vars SKOPEO_PATH BUILDTAGS
+
+handler="_run_${1}"
+if [ "$(type -t $handler)" != "function" ]; then
+    die "Unknown/Unsupported command-line argument '$1'"
+fi
+
+msg "************************************************************"
+msg "Runner executing $1 on $OS_REL_VER"
+msg "************************************************************"
+
+cd "$SKOPEO_PATH"
+$handler
--- a/contrib/skopeoimage/README.md
+++ b/contrib/skopeoimage/README.md
@@ -1,43 +1,2 @@
-<img src="https://cdn.rawgit.com/containers/skopeo/master/docs/skopeo.svg" width="250">
-
----
-
-# skopeoimage
-
-## Overview
-
-This directory contains the Dockerfiles necessary to create the three skopeoimage container
-images that are housed on quay.io under the skopeo account.  All three repositories where
-the images live are public and can be pulled without credentials.  These container images
-are secured and the resulting containers can run safely.  The container images are built
-using the latest Fedora and then Skopeo is installed into them:
-
-  * quay.io/skopeo/stable - This image is built using the latest stable version of Skopeo in a Fedora based container.  Built with skopeoimage/stable/Dockerfile.
-  * quay.io/skopeo/upstream - This image is built using the latest code found in this GitHub repository.  When someone creates a commit and pushes it, the image is created.  Due to that the image changes frequently and is not guaranteed to be stable.  Built with skopeoimage/upstream/Dockerfile.
-  * quay.io/skopeo/testing - This image is built using the latest version of Skopeo that is or was in updates testing for Fedora.  At times this may be the same as the stable image.  This container image will primarily be used by the development teams for verification testing when a new package is created.  Built with skopeoimage/testing/Dockerfile.
-
-## Multiarch images
-
-Multiarch images are available for Skopeo upstream and stable versions. Supported architectures are `amd64`, `s390x`, `ppc64le`.
-Available images are `quay.io/skopeo/upstream:master`, `quay.io/skopeo/stable:v1.2.0`, `quay.io/containers/skopeo:v1.2.0`.
-
-Images can be used the same way as in a single architecture case, no extra setup is required. For samples see next chapter.
-
-## Sample Usage
-
-Although not required, it is suggested that [Podman](https://github.com/containers/podman) be used with these container images.
-
-```
-# Get Help on Skopeo
-podman run docker://quay.io/skopeo/stable:latest --help
-
-# Get help on the Skopeo Copy command
-podman run docker://quay.io/skopeo/stable:latest copy --help
-
-# Copy the Skopeo container image from quay.io to
-# a private registry
-podman run docker://quay.io/skopeo/stable:latest copy docker://quay.io/skopeo/stable docker://registry.internal.company.com/skopeo
-
-# Inspect the fedora:latest image
-podman run docker://quay.io/skopeo/stable:latest inspect --config docker://registry.fedoraproject.org/fedora:latest  | jq
-```
+The skopeo container image build context and automation have been
+moved to [https://github.com/containers/image_build/tree/main/skopeo](https://github.com/containers/image_build/tree/main/skopeo)
--- a/contrib/skopeoimage/stable/Dockerfile
+++ b/contrib/skopeoimage/stable/Dockerfile
@@ -1,33 +0,0 @@
-# stable/Dockerfile
-#
-# Build a Skopeo container image from the latest
-# stable version of Skopeo on the Fedoras Updates System.
-# https://bodhi.fedoraproject.org/updates/?search=skopeo
-# This image can be used to create a secured container
-# that runs safely with privileges within the container.
-#
-FROM registry.fedoraproject.org/fedora:32
-
-# Don't include container-selinux and remove
-# directories used by yum that are just taking
-# up space.  Also reinstall shadow-utils as without
-# doing so, the setuid/setgid bits on newuidmap
-# and newgidmap are lost in the Fedora images. 
-RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; yum -y install skopeo fuse-overlayfs --exclude container-selinux; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
-
-# Adjust storage.conf to enable Fuse storage.
-RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
-
-# Setup the ability to use additional stores
-# with this container image.
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
-
-# Setup skopeo's uid/guid entries
-RUN echo skopeo:100000:65536 > /etc/subuid
-RUN echo skopeo:100000:65536 > /etc/subgid
-
-# Point to the Authorization file
-ENV REGISTRY_AUTH_FILE=/auth.json
-
-# Set the entrypoint
-ENTRYPOINT ["/usr/bin/skopeo"]
--- a/contrib/skopeoimage/testing/Dockerfile
+++ b/contrib/skopeoimage/testing/Dockerfile
@@ -1,34 +0,0 @@
-# testing/Dockerfile
-#
-# Build a Skopeo container image from the latest
-# version of Skopeo that is in updates-testing
-# on the Fedoras Updates System.
-# https://bodhi.fedoraproject.org/updates/?search=skopeo
-# This image can be used to create a secured container
-# that runs safely with privileges within the container.
-#
-FROM registry.fedoraproject.org/fedora:32
-
-# Don't include container-selinux and remove
-# directories used by yum that are just taking
-# up space.  Also reinstall shadow-utils as without
-# doing so, the setuid/setgid bits on newuidmap
-# and newgidmap are lost in the Fedora images. 
-RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; yum -y install skopeo fuse-overlayfs --enablerepo updates-testing --exclude container-selinux; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
-
-# Adjust storage.conf to enable Fuse storage.
-RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
-
-# Setup the ability to use additional stores
-# with this container image.
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
-
-# Setup skopeo's uid/guid entries
-RUN echo skopeo:100000:65536 > /etc/subuid
-RUN echo skopeo:100000:65536 > /etc/subgid
-
-# Point to the Authorization file
-ENV REGISTRY_AUTH_FILE=/auth.json
-
-# Set the entrypoint
-ENTRYPOINT ["/usr/bin/skopeo"]
--- a/contrib/skopeoimage/upstream/Dockerfile
+++ b/contrib/skopeoimage/upstream/Dockerfile
@@ -1,54 +0,0 @@
-# upstream/Dockerfile
-#
-# Build a Skopeo container image from the latest
-# upstream version of Skopeo on GitHub.
-# https://github.com/containers/skopeo
-# This image can be used to create a secured container
-# that runs safely with privileges within the container.
-#
-FROM registry.fedoraproject.org/fedora:32
-
-# Don't include container-selinux and remove
-# directories used by yum that are just taking
-# up space.  Also reinstall shadow-utils as without
-# doing so, the setuid/setgid bits on newuidmap
-# and newgidmap are lost in the Fedora images. 
-RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; \
-yum -y install make \
-golang \
-git \
-go-md2man \
-fuse-overlayfs \
-fuse3 \
-containers-common \
-gpgme-devel \
-libassuan-devel \
-btrfs-progs-devel \
-device-mapper-devel --enablerepo updates-testing --exclude container-selinux; \
-mkdir /root/skopeo; \
-git clone https://github.com/containers/skopeo /root/skopeo/src/github.com/containers/skopeo; \
-export GOPATH=/root/skopeo; \
-cd /root/skopeo/src/github.com/containers/skopeo; \
-make bin/skopeo;\
-make install;\
-rm -rf /root/skopeo/*; \
-yum -y remove git golang go-md2man make; \
-yum -y clean all; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
-
-
-# Adjust storage.conf to enable Fuse storage.
-RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
-
-# Setup the ability to use additional stores
-# with this container image.
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
-
-# Setup skopeo's uid/guid entries
-RUN echo skopeo:100000:65536 > /etc/subuid
-RUN echo skopeo:100000:65536 > /etc/subgid
-
-# Point to the Authorization file
-ENV REGISTRY_AUTH_FILE=/auth.json
-
-# Set the entrypoint
-ENTRYPOINT ["/usr/bin/skopeo"]
--- a/default.yaml
+++ b/default.yaml
@@ -1,19 +1,21 @@
 # This is a default registries.d configuration file.  You may
 # add to this file or create additional files in registries.d/.
 #
-# sigstore: indicates a location that is read and write
-# sigstore-staging: indicates a location that is only for write
+# lookaside: for reading/writing simple signing signatures
+# lookaside-staging: for writing simple signing signatures, preferred over lookaside
 #
-# sigstore and sigstore-staging take a value of the following:
-#   sigstore:  {schema}://location
+# lookaside and lookaside-staging take a value of the following:
+#   lookaside:  {schema}://location
 #
 # For reading signatures, schema may be http, https, or file.
 # For writing signatures, schema may only be file.

-# This is the default signature write location for docker registries.
+# The default locations are built-in, for both reading and writing:
+# /var/lib/containers/sigstore for root, or
+# ~/.local/share/containers/sigstore for non-root users.
 default-docker:
-#  sigstore: file:///var/lib/containers/sigstore
-  sigstore-staging: file:///var/lib/containers/sigstore
+#  lookaside: https://…
+#  lookaside-staging: file:///…

 # The 'docker' indicator here is the start of the configuration
 # for docker registries.
@@ -21,6 +23,6 @@ default-docker:
 # docker:
 #
 #   privateregistry.com:
-#    sigstore: http://privateregistry.com/sigstore/
-#    sigstore-staging: /mnt/nfs/privateregistry/sigstore
+#    lookaside: https://privateregistry.com/sigstore/
+#    lookaside-staging: /mnt/nfs/privateregistry/sigstore

--- a/docs/skopeo-copy.1.md
+++ b/docs/skopeo-copy.1.md
@@ -4,7 +4,7 @@
 skopeo\-copy - Copy an image (manifest, filesystem layers, signatures) from one location to another.

 ## SYNOPSIS
-**skopeo copy** [**--sign-by=**_key-ID_] _source-image destination-image_
+**skopeo copy** [*options*] _source-image_ _destination-image_

 ## DESCRIPTION
 Copy an image (manifest, filesystem layers, signatures) from one location to another.
@@ -20,7 +20,13 @@ automatically inherit any parts of the source name.

 ## OPTIONS

-**--all**
+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
+**--additional-tag**=_strings_
+
+Additional tags (supports docker-archive).
+
+**--all**, **-a**

 If _source-image_ refers to a list of images, instead of copying just the image which matches the current OS and
 architecture (subject to the use of the global --override-os, --override-arch and --override-variant options), attempt to copy all of
@@ -42,61 +48,197 @@ Path of the authentication file for the source registry. Uses path given by `--a

 Path of the authentication file for the destination registry. Uses path given by `--authfile`, if not provided.

-**--format, -f** _manifest-type_ Manifest type (oci, v2s1, or v2s2) to use when saving image to directory using the 'dir:' transport (default is manifest type of source)
+**--dest-shared-blob-dir** _directory_

-**--quiet, -q** suppress output information when copying images
+Directory to use to share blobs across OCI repositories.

-**--remove-signatures** do not copy signatures, if any, from _source-image_. Necessary when copying a signed image to a destination which does not support signatures.
+**--digestfile** _path_

-**--sign-by=**_key-id_ add a signature using that key ID for an image name corresponding to _destination-image_
+After copying the image, write the digest of the resulting image to the file.

-**--encryption-key** _protocol:keyfile_ specifies the encryption protocol, which can be JWE (RFC7516), PGP (RFC4880), and PKCS7 (RFC2315) and the key material required for image encryption. For instance, jwe:/path/to/key.pem or pgp:admin@example.com or pkcs7:/path/to/x509-file.
+**--preserve-digests**

-**--decryption-key** _key[:passphrase]_ to be used for decryption of images. Key can point to keys and/or certificates. Decryption will be tried with all keys. If the key is protected by a passphrase, it is required to be passed in the argument and omitted otherwise.
+Preserve the digests during copying. Fail if the digest cannot be preserved.

-**--src-creds** _username[:password]_ for accessing the source registry.
+This option does not change what will be copied; consider using `--all` at the same time.

-**--dest-compress** _bool-value_ Compress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source).
+**--encrypt-layer** _ints_

-**--dest-oci-accept-uncompressed-layers** _bool-value_ Allow uncompressed image layers when saving to an OCI image using the 'oci' transport. (default is to compress things that aren't compressed).
+*Experimental* the 0-indexed layer indices, with support for negative indexing (e.g. 0 is the first layer, -1 is the last layer)

-**--dest-creds** _username[:password]_ for accessing the destination registry.
+**--format**, **-f** _manifest-type_

-**--src-cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the source registry or daemon.
+MANIFEST TYPE (oci, v2s1, or v2s2) to use in the destination (default is manifest type of source, with fallbacks)

-**--src-no-creds** _bool-value_ Access the registry anonymously.
+**--help**, **-h**

-**--src-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container source registry or daemon (defaults to true).
+Print usage statement

-**--dest-cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the destination registry or daemon.
+**--multi-arch** _option_

-**--dest-no-creds** _bool-value_  Access the registry anonymously.
+Control what is copied if _source-image_ refers to a multi-architecture image. Default is system.

-**--dest-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container destination registry or daemon (defaults to true).
+Options:
+- system: Copy only the image that matches the system architecture
+- all: Copy the full multi-architecture image
+- index-only: Copy only the index

-**--src-daemon-host** _host_ Copy from docker daemon at _host_. If _host_ starts with `tcp://`, HTTPS is enabled by default. To use plain HTTP, use the form `http://` (default is `unix:///var/run/docker.sock`).
+The index-only option usually fails unless the referenced per-architecture images are already present in the destination, or the target registry supports sparse indexes.

-**--dest-daemon-host** _host_ Copy to docker daemon at _host_. If _host_ starts with `tcp://`, HTTPS is enabled by default. To use plain HTTP, use the form `http://` (default is `unix:///var/run/docker.sock`).
+**--quiet**, **-q**
+
+Suppress output information when copying images.
+
+**--remove-signatures**
+
+Do not copy signatures, if any, from _source-image_. Necessary when copying a signed image to a destination which does not support signatures.
+
+**--sign-by** _key-id_
+
+Add a “simple signing” signature using that key ID for an image name corresponding to _destination-image_
+
+**--sign-by-sigstore** _param-file_
+
+Add a sigstore signature based on the options in the specified containers sigstore signing parameter file, _param-file_.
+See containers-sigstore-signing-params.yaml(5) for details about the file format.
+
+**--sign-by-sigstore-private-key** _path_
+
+Add a sigstore signature using a private key at _path_ for an image name corresponding to _destination-image_
+
+**--sign-passphrase-file** _path_
+
+The passphare to use when signing with `--sign-by` or `--sign-by-sigstore-private-key`. Only the first line will be read. A passphrase stored in a file is of questionable security if other users can read this file. Do not use this option if at all avoidable.
+
+**--sign-identity** _reference_
+
+The identity to use when signing the image. The identity must be a fully specified docker reference. If the identity is not specified, the target docker reference will be used.
+
+**--src-shared-blob-dir** _directory_
+
+Directory to use to share blobs across OCI repositories.
+
+**--encryption-key** _protocol:keyfile_
+
+Specifies the encryption protocol, which can be JWE (RFC7516), PGP (RFC4880), and PKCS7 (RFC2315) and the key material required for image encryption. For instance, jwe:/path/to/key.pem or pgp:admin@example.com or pkcs7:/path/to/x509-file.
+
+**--decryption-key** _key[:passphrase]_
+
+Key to be used for decryption of images. Key can point to keys and/or certificates. Decryption will be tried with all keys. If the key is protected by a passphrase, it is required to be passed in the argument and omitted otherwise.
+
+**--src-creds** _username[:password]_
+
+Credentials for accessing the source registry.
+
+**--dest-compress**
+
+Compress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source).
+
+**--dest-decompress**
+
+Decompress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source).
+
+**--dest-oci-accept-uncompressed-layers**
+
+Allow uncompressed image layers when saving to an OCI image using the 'oci' transport. (default is to compress things that aren't compressed).
+
+**--dest-creds** _username[:password]_
+
+Credentials for accessing the destination registry.
+
+**--src-cert-dir** _path_
+
+Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the source registry or daemon.
+
+**--src-no-creds**
+
+Access the registry anonymously.
+
+**--src-tls-verify**=_bool_
+
+Require HTTPS and verify certificates when talking to container source registry or daemon. Default to source registry setting.
+
+**--dest-cert-dir** _path_
+
+Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the destination registry or daemon.
+
+**--dest-no-creds**
+
+Access the registry anonymously.
+
+**--dest-tls-verify**=_bool_
+
+Require HTTPS and verify certificates when talking to container destination registry or daemon. Default to destination registry setting.
+
+**--src-daemon-host** _host_
+
+Copy from docker daemon at _host_. If _host_ starts with `tcp://`, HTTPS is enabled by default. To use plain HTTP, use the form `http://` (default is `unix:///var/run/docker.sock`).
+
+**--dest-daemon-host** _host_
+
+Copy to docker daemon at _host_. If _host_ starts with `tcp://`, HTTPS is enabled by default. To use plain HTTP, use the form `http://` (default is `unix:///var/run/docker.sock`).

 Existing signatures, if any, are preserved as well.

-**--dest-compress-format** _format_ Specifies the compression format to use.  Supported values are: `gzip` and `zstd`.
+**--dest-compress-format** _format_

-**--dest-compress-level** _format_ Specifies the compression level to use.  The value is specific to the compression algorithm used, e.g. for zstd the accepted values are in the range 1-20 (inclusive), while for gzip it is 1-9 (inclusive).
+Specifies the compression format to use.  Supported values are: `gzip`, `zstd` and `zstd:chunked`.
+`zstd:chunked` is incompatible with encrypting images,
+and will be treated as `zstd` with a warning in that case.

-**--src-registry-token** _Bearer token_ for accessing the source registry.
+**--dest-compress-level** _format_

-**--dest-registry-token** _Bearer token_ for accessing the destination registry.
+Specifies the compression level to use.  The value is specific to the compression algorithm used, e.g. for zstd the accepted values are in the range 1-20 (inclusive), while for gzip it is 1-9 (inclusive).
+
+**--src-registry-token** _token_
+
+Bearer token for accessing the source registry.
+
+**--dest-registry-token** _token_
+
+Bearer token for accessing the destination registry.
+
+**--dest-precompute-digests**
+
+Precompute digests to ensure layers are not uploaded that already exist on the destination registry. Layers with initially unknown digests (ex. compressing "on the fly") will be temporarily streamed to disk.
+
+**--retry-times**
+
+The number of times to retry.
+
+**--retry-delay**
+
+Fixed delay between retries. If not set (or set to 0s), retry wait time will be exponentially increased based on the number of failed attempts.
+
+**--src-username**
+
+The username to access the source registry.
+
+**--src-password**
+
+The password to access the source registry.
+
+**--dest-username**
+
+The username to access the destination registry.
+
+**--dest-password**
+
+The password to access the destination registry.
+
+**--image-parallel-copies** _n_
+
+Maximum number of image layers to be copied (pulled/pushed) simultaneously. Not setting this field will fall back to containers/image defaults.

 ## EXAMPLES

 To just copy an image from one registry to another:
-```sh
+```console
 $ skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest
 ```

 To copy the layers of the docker.io busybox image to a local directory:
-```sh
+```console
 $ mkdir -p /var/lib/images/busybox
 $ skopeo copy docker://busybox:latest dir:/var/lib/images/busybox
 $ ls /var/lib/images/busybox/*
@@ -105,48 +247,51 @@ $ ls /var/lib/images/busybox/*
  /tmp/busybox/8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar
 ```

-To copy and sign an image:
+To create an archive consumable by `docker load` (but note that using a registry is almost always more efficient):
+```console
+$ skopeo copy docker://busybox:latest docker-archive:archive-file.tar:busybox:latest
+```

-```sh
-# skopeo copy --sign-by dev@example.com containers-storage:example/busybox:streaming docker://example/busybox:gold
+To copy and sign an image:
+```console
+$ skopeo copy --sign-by dev@example.com containers-storage:example/busybox:streaming docker://example/busybox:gold
 ```

 To encrypt an image:
-```sh
-skopeo copy docker://docker.io/library/nginx:1.17.8 oci:local_nginx:1.17.8
+```console
+$ skopeo copy docker://docker.io/library/nginx:1.17.8 oci:local_nginx:1.17.8

-openssl genrsa -out private.key 1024
-openssl rsa -in private.key -pubout > public.key
+$ openssl genrsa -out private.key 1024
+$ openssl rsa -in private.key -pubout > public.key

-skopeo  copy --encryption-key jwe:./public.key oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
+$ skopeo copy --encryption-key jwe:./public.key oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
 ```

 To decrypt an image:
-```sh
-skopeo copy --decryption-key ./private.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
+```console
+$ skopeo copy --decryption-key ./private.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
 ```

 To copy encrypted image without decryption:
-```sh
-skopeo copy oci:try-encrypt:encrypted oci:try-encrypt-copy:encrypted
+```console
+$ skopeo copy oci:try-encrypt:encrypted oci:try-encrypt-copy:encrypted
 ```

 To decrypt an image that requires more than one key:
-```sh
-skopeo copy --decryption-key ./private1.key --decryption-key ./private2.key --decryption-key ./private3.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
+```console
+$ skopeo copy --decryption-key ./private1.key --decryption-key ./private2.key --decryption-key ./private3.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
 ```

 Container images can also be partially encrypted by specifying the index of the layer. Layers are 0-indexed indices, with support for negative indexing. i.e. 0 is the first layer, -1 is the last layer.

 Let's say out of 3 layers that the image `docker.io/library/nginx:1.17.8` is made up of, we only want to encrypt the 2nd layer,
-```sh
-skopeo  copy --encryption-key jwe:./public.key --encrypt-layer 1 oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
+```console
+$ skopeo copy --encryption-key jwe:./public.key --encrypt-layer 1 oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
 ```

 ## SEE ALSO
-skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5), containers-policy.json(5), containers-transports(5)
+skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5), containers-policy.json(5), containers-transports(5), containers-signature(5)

 ## AUTHORS

 Antonio Murdaca <runcom@redhat.com>, Miloslav Trmac <mitr@redhat.com>, Jhon Honce <jhonce@redhat.com>
-
--- a/docs/skopeo-delete.1.md
+++ b/docs/skopeo-delete.1.md
@@ -4,43 +4,95 @@
 skopeo\-delete - Mark the _image-name_ for later deletion by the registry's garbage collector.

 ## SYNOPSIS
-**skopeo delete** _image-name_
+**skopeo delete** [*options*] _image-name_

-Mark _image-name_ for deletion.  To release the allocated disk space, you must login to the container registry server and execute the container registry garbage collector. E.g.,
+## DESCRIPTION
+
+Mark _image-name_ for deletion.
+The effect of this is registry-specific; many registries don’t support this operation, or don’t allow it in some circumstances / configurations.
+
+**WARNING**: If _image-name_ contains a digest, this affects the referenced manifest, and may delete all tags (within the current repository?) pointing to that manifest.
+
+**WARNING**: If _image-name_ contains a tag (but not a digest), in the current version of Skopeo this resolves the tag into a digest, and then deletes the manifest by digest, as described above (possibly deleting all tags pointing to that manifest, not just the provided tag). This behavior may change in the future.
+
+
+When using the github.com/distribution/distribution registry server:
+To release the allocated disk space, you must login to the container registry server and execute the container registry garbage collector. E.g.,

 ```
 /usr/bin/registry garbage-collect /etc/docker-distribution/registry/config.yml
-
+```
 Note: sometimes the config.yml is stored in /etc/docker/registry/config.yml

 If you are running the container registry inside of a container you would execute something like:
-
-$ docker exec -it registry /usr/bin/registry garbage-collect /etc/docker-distribution/registry/config.yml
-
 ```
+$ docker exec -it registry /usr/bin/registry garbage-collect /etc/docker-distribution/registry/config.yml
+```
+
+## OPTIONS
+
+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.

 **--authfile** _path_

-  Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`.
-  If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.
+Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`.
+If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.

-**--creds** _username[:password]_ for accessing the registry.
+**--creds** _username[:password]_

-**--cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the registry.
+Credentials for accessing the registry.

-**--tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container registries (defaults to true).
+**--cert-dir** _path_

-**--no-creds** _bool-value_ Access the registry anonymously.
+Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the registry.
+
+**--daemon-host** _host_
+
+Use docker daemon host at _host_ (`docker-daemon:` transport only)
+
+**--help**, **-h**
+
+Print usage statement
+
+**--no-creds**
+
+Access the registry anonymously.

 Additionally, the registry must allow deletions by setting `REGISTRY_STORAGE_DELETE_ENABLED=true` for the registry daemon.

-**--registry-token** _Bearer token_ for accessing the registry.
+**--registry-token** _token_
+
+Bearer token for accessing the registry.
+
+**--retry-times**
+
+The number of times to retry.
+
+**--retry-delay**
+
+Fixed delay between retries. If not set (or set to 0s), retry wait time will be exponentially increased based on the number of failed attempts.
+
+**--shared-blob-dir** _directory_
+
+Directory to use to share blobs across OCI repositories.
+
+**--tls-verify**=_bool_
+
+Require HTTPS and verify certificates when talking to the container registry or daemon. Default to registry.conf setting.
+
+**--username**
+
+The username to access the registry.
+
+**--password**
+
+The password to access the registry.

 ## EXAMPLES

 Mark image example/pause for deletion from the registry.example.com registry:
-```sh
-$ skopeo delete --force docker://registry.example.com/example/pause:latest
+```console
+$ skopeo delete docker://registry.example.com/example/pause:latest
 ```
 See above for additional details on using the command **delete**.

@@ -51,4 +103,3 @@ skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5)
 ## AUTHORS

 Antonio Murdaca <runcom@redhat.com>, Miloslav Trmac <mitr@redhat.com>, Jhon Honce <jhonce@redhat.com>
-
--- a/docs/skopeo-generate-sigstore-key.1.md
+++ b/docs/skopeo-generate-sigstore-key.1.md
@@ -0,0 +1,49 @@
+% skopeo-generate-sigstore-key(1)
+
+## NAME
+skopeo\-generate-sigstore-key - Generate a sigstore public/private key pair.
+
+## SYNOPSIS
+**skopeo generate-sigstore-key** [*options*] **--output-prefix** _prefix_
+
+## DESCRIPTION
+
+Generates a public/private key pair suitable for creating sigstore image signatures.
+The private key is encrypted with a passphrase;
+if one is not provided using an option, this command prompts for it interactively.
+
+The private key is written to _prefix_**.private** .
+The public key is written to _prefix_**.pub** .
+
+## OPTIONS
+
+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
+**--help**, **-h**
+
+Print usage statement
+
+**--output-prefix** _prefix_
+
+Mandatory.
+Path prefix for the output keys (_prefix_**.private** and _prefix_**.pub**).
+
+**--passphrase-file** _path_
+
+The passphare to use to encrypt the private key.
+Only the first line will be read.
+A passphrase stored in a file is of questionable security if other users can read this file.
+Do not use this option if at all avoidable.
+
+## EXAMPLES
+
+```console
+$ skopeo generate-sigstore-key --output-prefix mykey
+```
+
+# SEE ALSO
+skopeo(1), skopeo-copy(1), containers-policy.json(5)
+
+## AUTHORS
+
+Miloslav Trmač <mitr@redhat.com>
--- a/docs/skopeo-inspect.1.md
+++ b/docs/skopeo-inspect.1.md
@@ -8,12 +8,17 @@ skopeo\-inspect - Return low-level information about _image-name_ in a registry.

 ## DESCRIPTION

-Return low-level information about _image-name_ in a registry
+Return low-level information about _image-name_ in a registry.
+See [skopeo(1)](skopeo.1.md) for the format of _image-name_.

-_image-name_ name of image to retrieve information about
+The default output includes data from various sources: user input (**Name**), the remote repository, if any (**RepoTags**), the top-level manifest (**Digest**),
+and a per-architecture/OS image matching the current run-time environment (most other values).
+To see values for a different architecture/OS, use the **--override-os** / **--override-arch** options documented in [skopeo(1)](skopeo.1.md).

 ## OPTIONS

+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
 **--authfile** _path_

 Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`.
@@ -31,10 +36,19 @@ Output configuration in OCI format, default is to format in JSON format.

 Username and password for accessing the registry.

+**--daemon-host** _host_
+
+Use docker daemon host at _host_ (`docker-daemon:` transport only)
+
 **--format**, **-f**=*format*

 Format the output using the given Go template.
 The keys of the returned JSON can be used as the values for the --format flag (see examples below).
+Supports the Go templating functions available at https://pkg.go.dev/github.com/containers/common/pkg/report#hdr-Template_Functions
+
+**--help**, **-h**
+
+Print usage statement

 **--no-creds**

@@ -51,47 +65,119 @@ Registry token for accessing the registry.

 **--retry-times**

-The number of times to retry; retry wait time will be exponentially increased based on the number of failed attempts.
+The number of times to retry.

-**--tls-verify**
+**--retry-delay**

-Require HTTPS and verify certificates when talking to container registries (defaults to true).
+Fixed delay between retries. If not set (or set to 0s), retry wait time will be exponentially increased based on the number of failed attempts.
+
+**--shared-blob-dir** _directory_
+
+Directory to use to share blobs across OCI repositories.
+
+**--tls-verify**=_bool_
+
+Require HTTPS and verify certificates when talking to the container registry or daemon. Default to registry.conf setting.
+
+**--username**
+
+The username to access the registry.
+
+**--password**
+
+The password to access the registry.
+
+**--no-tags**, **-n**
+
+Do not list the available tags from the repository in the output. When `true`, the `RepoTags` array will be empty.  Defaults to `false`, which includes all available tags.

 ## EXAMPLES

 To review information for the image fedora from the docker.io registry:
-```sh
+```console
 $ skopeo inspect docker://docker.io/fedora
+
 {
    "Name": "docker.io/library/fedora",
-    "Digest": "sha256:a97914edb6ba15deb5c5acf87bd6bd5b6b0408c96f48a5cbd450b5b04509bb7d",
+    "Digest": "sha256:f99efcddc4dd6736d8a88cc1ab6722098ec1d77dbf7aed9a7a514fc997ca08e0",
    "RepoTags": [
-	"20",
-	"21",
-	"22",
-	"23",
-	"24",
-	"heisenbug",
-	"latest",
-	"rawhide"
+        "20",
+        "21",
+        "..."
    ],
-    "Created": "2016-06-20T19:33:43.220526898Z",
-    "DockerVersion": "1.10.3",
-    "Labels": {},
+    "Created": "2022-11-16T07:26:42.618327645Z",
+    "DockerVersion": "20.10.12",
+    "Labels": {
+        "maintainer": "Clement Verna \u003ccverna@fedoraproject.org\u003e"
+    },
    "Architecture": "amd64",
    "Os": "linux",
    "Layers": [
-	"sha256:7c91a140e7a1025c3bc3aace4c80c0d9933ac4ee24b8630a6b0b5d8b9ce6b9d4"
+        "sha256:cb8b1ed77979b894115a983f391465651aa7eb3edd036be4b508eea47271eb93"
+    ],
+    "LayersData": [
+        {
+            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "Digest": "sha256:cb8b1ed77979b894115a983f391465651aa7eb3edd036be4b508eea47271eb93",
+            "Size": 65990920,
+            "Annotations": null
+        }
+    ],
+    "Env": [
+        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+        "DISTTAG=f37container",
+        "FGC=f37",
+        "FBR=f37"
    ]
 }
 ```

+To inspect python from the docker.io registry and not show the available tags:
+```console
+$ skopeo inspect --no-tags docker://docker.io/library/python
+{
+    "Name": "docker.io/library/python",
+    "Digest": "sha256:10fc14aa6ae69f69e4c953cffd9b0964843d8c163950491d2138af891377bc1d",
+    "RepoTags": [],
+    "Created": "2022-11-16T06:55:28.566254104Z",
+    "DockerVersion": "20.10.12",
+    "Labels": null,
+    "Architecture": "amd64",
+    "Os": "linux",
+    "Layers": [
+        "sha256:a8ca11554fce00d9177da2d76307bdc06df7faeb84529755c648ac4886192ed1",
+        "sha256:e4e46864aba2e62ba7c75965e4aa33ec856ee1b1074dda6b478101c577b63abd",
+        "..."
+    ],
+    "LayersData": [
+        {
+            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "Digest": "sha256:a8ca11554fce00d9177da2d76307bdc06df7faeb84529755c648ac4886192ed1",
+            "Size": 55038615,
+            "Annotations": null
+        },
+        {
+            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "Digest": "sha256:e4e46864aba2e62ba7c75965e4aa33ec856ee1b1074dda6b478101c577b63abd",
+            "Size": 5164893,
+            "Annotations": null
+        },
+        "..."
+    ],
+    "Env": [
+        "PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+        "LANG=C.UTF-8",
+        "...",
+    ]
+}
 ```
+
+```console
 $ /bin/skopeo inspect --config docker://registry.fedoraproject.org/fedora --format "{{ .Architecture }}"
 amd64
 ```

-```
+```console
 $ /bin/skopeo inspect --format '{{ .Env }}' docker://registry.access.redhat.com/ubi8
 [PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin container=oci]
 ```
--- a/docs/skopeo-list-tags.1.md
+++ b/docs/skopeo-list-tags.1.md
@@ -1,57 +1,91 @@
 % skopeo-list-tags(1)

 ## NAME
-skopeo\-list\-tags - Return a list of tags for the transport-specific image repository.
+skopeo\-list\-tags - List image names in a transport-specific collection of images.

 ## SYNOPSIS
-**skopeo list-tags** _repository-name_
+**skopeo list-tags** [*options*] _source-image_

-Return a list of tags from _repository-name_ in a registry.
+Return a list of tags from _source-image_ in a registry or a local docker-archive file.

-  _repository-name_ name of repository to retrieve tag listing from
+  _source-image_ name of the repository to retrieve a tag listing from or a local docker-archive file.

-  **--authfile** _path_
+## OPTIONS

-  Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`.
+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
+**--authfile** _path_
+
+Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`.
  If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.

-  **--creds** _username[:password]_ for accessing the registry.
+**--creds** _username[:password]_ for accessing the registry.

-  **--cert-dir** _path_ Use certificates at _path_ (\*.crt, \*.cert, \*.key) to connect to the registry.
+**--cert-dir** _path_

-  **--tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container registries (defaults to true).
+Use certificates at _path_ (\*.crt, \*.cert, \*.key) to connect to the registry.

-  **--no-creds** _bool-value_ Access the registry anonymously.
+**--help**, **-h**

-  **--registry-token** _Bearer token_ for accessing the registry.
+Print usage statement
+
+**--no-creds**
+
+Access the registry anonymously.
+
+**--registry-token** _Bearer token_
+
+Bearer token for accessing the registry.
+
+**--retry-times**
+
+The number of times to retry.
+
+**--retry-delay**
+
+Fixed delay between retries. If not set (or set to 0s), retry wait time will be exponentially increased based on the number of failed attempts.
+
+**--tls-verify**=_bool_
+
+Require HTTPS and verify certificates when talking to the container registry or daemon. Default to registry.conf setting.
+
+**--username**
+
+The username to access the registry.
+
+**--password**
+
+The password to access the registry.

 ## REPOSITORY NAMES

-Repository names are transport-specific references as each transport may have its own concept of a "repository" and "tags". Currently, only the Docker transport is supported.
+Repository names are transport-specific references as each transport may have its own concept of a "repository" and "tags".

 This commands refers to repositories using a _transport_`:`_details_ format. The following formats are supported:

  **docker://**_docker-repository-reference_
  A repository in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in either `$XDG_RUNTIME_DIR/containers/auth.json`, which is set using `(skopeo login)`. If the authorization state is not found there, `$HOME/.docker/config.json` is checked, which is set using `(docker login)`.
  A _docker-repository-reference_ is of the form: **registryhost:port/repositoryname** which is similar to an _image-reference_ but with no tag or digest allowed as the last component (e.g no `:latest` or `@sha256:xyz`)
-      
+
      Examples of valid docker-repository-references:
        "docker.io/myuser/myrepo"
        "docker.io/nginx"
        "docker.io/library/fedora"
        "localhost:5000/myrepository"
-        
+
      Examples of invalid references:
        "docker.io/nginx:latest"
        "docker.io/myuser/myimage:v1.0"
        "docker.io/myuser/myimage@sha256:f48c4cc192f4c3c6a069cb5cca6d0a9e34d6076ba7c214fd0cc3ca60e0af76bb"
-       
+
+  **docker-archive:path[:docker-reference]
+  more than one images were stored in a docker save-formatted file. 

 ## EXAMPLES

 ### Docker Transport
 To get the list of tags in the "fedora" repository from the docker.io registry (the repository name expands to "library/fedora" per docker transport canonical form):
-```sh
+```console
 $ skopeo list-tags docker://docker.io/fedora
 {
    "Repository": "docker.io/library/fedora",
@@ -82,7 +116,7 @@ $ skopeo list-tags docker://docker.io/fedora

 To list the tags in a local host docker/distribution registry on port 5000, in this case for the "fedora" repository:

-```sh
+```console
 $ skopeo list-tags docker://localhost:5000/fedora
 {
    "Repository": "localhost:5000/fedora",
@@ -95,10 +129,49 @@ $ skopeo list-tags docker://localhost:5000/fedora

 ```

+### Docker-archive Transport
+
+To list the tags in a local docker-archive file:
+
+```console
+$ skopeo list-tags docker-archive:/tmp/busybox.tar.gz
+{
+    "Tags": [
+        "busybox:1.28.3"
+    ]
+}
+```
+
+Also supports more than one tags in an archive:
+
+```console
+$ skopeo list-tags docker-archive:/tmp/docker-two-images.tar.gz
+{
+    "Tags": [
+        "example.com/empty:latest",
+        "example.com/empty/but:different"
+    ]
+}
+```
+
+Will include a source-index entry for each untagged image:
+
+```console
+$ skopeo list-tags docker-archive:/tmp/four-tags-with-an-untag.tar
+{
+    "Tags": [
+        "image1:tag1",
+        "image2:tag2",
+        "@2",
+        "image4:tag4"
+    ]
+}
+```
+
+
 # SEE ALSO
-skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5)
+skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5), containers-transports(1)

 ## AUTHORS

 Zach Hill <zach@anchore.com>
-
--- a/docs/skopeo-login.1.md
+++ b/docs/skopeo-login.1.md
@@ -4,7 +4,7 @@
 skopeo\-login - Login to a container registry.

 ## SYNOPSIS
-**skopeo login** [*options*] *registry*
+**skopeo login** [*options*] _registry_

 ## DESCRIPTION
 **skopeo login** logs into a specified registry server with the correct username
@@ -15,6 +15,8 @@ flag. The default path used is **${XDG\_RUNTIME\_DIR}/containers/auth.json**.

 ## OPTIONS

+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
 **--password**, **-p**=*password*

 Password for registry
@@ -34,6 +36,10 @@ Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth
 Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
 environment variable. `export REGISTRY_AUTH_FILE=path`

+**--compat-auth-file**=*path*
+
+Instead of updating the default credentials file, update the one at *path*, and use a Docker-compatible format.
+
 **--get-login**

 Return the logged-in user for the registry. Return error if no login is found.
@@ -43,53 +49,55 @@ Return the logged-in user for the registry. Return error if no login is found.
 Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry.
 Default certificates directory is _/etc/containers/certs.d_.

-**--tls-verify**=*true|false*
-
-Require HTTPS and verify certificates when contacting registries (default: true). If explicitly set to true,
-then TLS verification will be used. If set to false, then TLS verification will not be used. If not specified,
-TLS verification will be used unless the target registry is listed as an insecure registry in registries.conf.
-
 **--help**, **-h**

 Print usage statement

+**--tls-verify**=_bool_
+
+Require HTTPS and verify certificates when talking to the container registry or daemon. Default to registry.conf setting.
+
+**--verbose**, **-v**
+
+Write more detailed information to stdout
+
 ## EXAMPLES

-```
+```console
 $ skopeo login docker.io
 Username: testuser
 Password:
 Login Succeeded!
 ```

-```
+```console
 $ skopeo login -u testuser -p testpassword localhost:5000
 Login Succeeded!
 ```

-```
+```console
 $ skopeo login --authfile authdir/myauths.json docker.io
 Username: testuser
 Password:
 Login Succeeded!
 ```

-```
+```console
 $ skopeo login --tls-verify=false -u test -p test localhost:5000
 Login Succeeded!
 ```

-```
+```console
 $ skopeo login --cert-dir /etc/containers/certs.d/ -u foo -p bar localhost:5000
 Login Succeeded!
 ```

-```
+```console
 $ skopeo login -u testuser  --password-stdin < testpassword.txt docker.io
 Login Succeeded!
 ```

-```
+```console
 $ echo $testpassword | skopeo login -u testuser --password-stdin docker.io
 Login Succeeded!
 ```
--- a/docs/skopeo-logout.1.md
+++ b/docs/skopeo-logout.1.md
@@ -4,7 +4,7 @@
 skopeo\-logout - Logout of a container registry.

 ## SYNOPSIS
-**skopeo logout** [*options*] *registry*
+**skopeo logout** [*options*] _registry_

 ## DESCRIPTION
 **skopeo logout** logs out of a specified registry server by deleting the cached credentials
@@ -14,6 +14,8 @@ All the cached credentials can be removed by setting the **all** flag.

 ## OPTIONS

+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
 **--authfile**=*path*

 Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json
@@ -21,6 +23,10 @@ Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth
 Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
 environment variable. `export REGISTRY_AUTH_FILE=path`

+**--compat-auth-file**=*path*
+
+Instead of updating the default credentials file, update the one at *path*, and use a Docker-compatible format.
+
 **--all**, **-a**

 Remove the cached credentials for all registries in the auth file
@@ -29,19 +35,23 @@ Remove the cached credentials for all registries in the auth file

 Print usage statement

+**--tls-verify**=_bool_
+
+Require HTTPS and verify certificates when talking to the container registry or daemon. Default to registry.conf setting.
+
 ## EXAMPLES

-```
+```console
 $ skopeo logout docker.io
 Remove login credentials for docker.io
 ```

-```
+```console
 $ skopeo logout --authfile authdir/myauths.json docker.io
 Remove login credentials for docker.io
 ```

-```
+```console
 $ skopeo logout --all
 Remove login credentials for all registries
 ```
--- a/docs/skopeo-manifest-digest.1.md
+++ b/docs/skopeo-manifest-digest.1.md
@@ -10,9 +10,15 @@ skopeo\-manifest\-digest - Compute a manifest digest for a manifest-file and wri

 Compute a manifest digest of _manifest-file_ and write it to standard output.

+## OPTIONS
+
+**--help**, **-h**
+
+Print usage statement
+
 ## EXAMPLES

-```sh
+```console
 $ skopeo manifest-digest manifest.json
 sha256:a59906e33509d14c036c8678d687bd4eec81ed7c4b8ce907b888c607f6a1e0e6
 ```
@@ -23,4 +29,3 @@ skopeo(1)
 ## AUTHORS

 Antonio Murdaca <runcom@redhat.com>, Miloslav Trmac <mitr@redhat.com>, Jhon Honce <jhonce@redhat.com>
-
--- a/docs/skopeo-standalone-sign.1.md
+++ b/docs/skopeo-standalone-sign.1.md
@@ -1,14 +1,13 @@
 % skopeo-standalone-sign(1)

 ## NAME
-skopeo\-standalone-sign - Debugging tool - Publish and sign an image in one step.
+skopeo\-standalone-sign - Debugging tool - Sign an image locally without uploading.

 ## SYNOPSIS
-**skopeo standalone-sign** _manifest docker-reference key-fingerprint_ **--output**|**-o** _signature_
+**skopeo standalone-sign** [*options*] _manifest_ _docker-reference_ _key-fingerprint_ **--output**|**-o** _signature_

 ## DESCRIPTION
-This is primarily a debugging tool, or useful for special cases,
-and usually should not be a part of your normal operational workflow; use `skopeo copy --sign-by` instead to publish and sign an image in one step.
+This is primarily a debugging tool, useful for special cases, and usually should not be a part of your normal operational workflow; use `skopeo copy --sign-by` instead to publish and sign an image in one step.

  _manifest_ Path to a file containing the image manifest

@@ -16,19 +15,36 @@ and usually should not be a part of your normal operational workflow; use `skope

  _key-fingerprint_ Key identity to use for signing

-  **--output**|**-o** output file
+## OPTIONS
+
+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
+**--help**, **-h**
+
+Print usage statement
+
+**--output**, **-o** _output file_
+
+Write signature to _output file_.
+
+**--passphrase-file**=_path_
+
+The passphare to use when signing with the key ID from `--sign-by`. Only the first line will be read. A passphrase stored in a file is of questionable security if other users can read this file. Do not use this option if at all avoidable.

 ## EXAMPLES

-```sh
+```console
 $ skopeo standalone-sign busybox-manifest.json registry.example.com/example/busybox 1D8230F6CDB6A06716E414C1DB72F2188BB46CC8 --output busybox.signature
 $
 ```

+## NOTES
+
+This command is intended for use with local signatures e.g. OpenPGP ( other signature formats may be added in the future ), as per containers-signature(5). Furthermore, this command does **not** interact with the artifacts generated by Docker Content Trust (DCT). For more information, please see [containers-signature(5)](https://github.com/containers/image/blob/main/docs/containers-signature.5.md).
+
 ## SEE ALSO
 skopeo(1), skopeo-copy(1), containers-signature(5)

 ## AUTHORS

 Antonio Murdaca <runcom@redhat.com>, Miloslav Trmac <mitr@redhat.com>, Jhon Honce <jhonce@redhat.com>
-
--- a/docs/skopeo-standalone-verify.1.md
+++ b/docs/skopeo-standalone-verify.1.md
@@ -1,36 +1,53 @@
 % skopeo-standalone-verify(1)

 ## NAME
-skopeo\-standalone\-verify - Verify an image signature.
+skopeo\-standalone\-verify - Debugging tool - Verify an image signature from local files.

 ## SYNOPSIS
-**skopeo standalone-verify** _manifest docker-reference key-fingerprint signature_
+**skopeo standalone-verify** _manifest_ _docker-reference_ _key-fingerprints_ _signature_

 ## DESCRIPTION

-Verify a signature using local files, digest will be printed on success.
+Verify a signature using local files; the digest will be printed on success. This is primarily a debugging tool, useful for special cases,
+and usually should not be a part of your normal operational workflow. Additionally, consider configuring a signature verification policy file,
+as per containers-policy.json(5).

  _manifest_ Path to a file containing the image manifest

  _docker-reference_ A docker reference expected to identify the image in the signature

-  _key-fingerprint_ Expected identity of the signing key
+  _key-fingerprints_ Identities of trusted signing keys (comma separated), or "any" to trust any known key when using a public key file

  _signature_ Path to signature file

 **Note:** If you do use this, make sure that the image can not be changed at the source location between the times of its verification and use.

+## OPTIONS
+
+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
+**--help**, **-h**
+
+Print usage statement
+
+**--public-key-file** _public key file_
+
+File containing the public keys to use when verifying signatures. If this is not specified, keys from the GPG homedir are used.
+
 ## EXAMPLES

-```sh
+```console
 $ skopeo standalone-verify busybox-manifest.json registry.example.com/example/busybox 1D8230F6CDB6A06716E414C1DB72F2188BB46CC8  busybox.signature
 Signature verified, digest sha256:20bf21ed457b390829cdbeec8795a7bea1626991fda603e0d01b4e7f60427e55
 ```

+## NOTES
+
+This command is intended for use with local signatures e.g. OpenPGP ( other signature formats may be added in the future ), as per containers-signature(5). Furthermore, this command does **not** interact with the artifacts generated by Docker Content Trust (DCT). For more information, please see [containers-signature(5)](https://github.com/containers/image/blob/main/docs/containers-signature.5.md).
+
 ## SEE ALSO
-skopeo(1), containers-signature(5)
+skopeo(1), containers-signature(5), containers-policy.json(5)

 ## AUTHORS

 Antonio Murdaca <runcom@redhat.com>, Miloslav Trmac <mitr@redhat.com>, Jhon Honce <jhonce@redhat.com>
-
--- a/docs/skopeo-sync.1.md
+++ b/docs/skopeo-sync.1.md
@@ -1,17 +1,14 @@
 % skopeo-sync(1)

 ## NAME
-skopeo\-sync - Synchronize images between container registries and local directories.
+skopeo\-sync - Synchronize images between registry repositories and local directories.


 ## SYNOPSIS
-**skopeo sync** --src _transport_ --dest _transport_ _source_ _destination_
+**skopeo sync** [*options*] --src _transport_ --dest _transport_ _source_ _destination_

 ## DESCRIPTION
-Synchronize images between container registries and local directories.
-The synchronization is achieved by copying all the images found at _source_ to _destination_.
-
-Useful to synchronize a local container registry mirror, and to to populate registries running inside of air-gapped environments.
+Synchronize images between registry repositories and local directories. Synchronization is achieved by copying all the images found at _source_ to _destination_ - useful when synchronizing a local container registry mirror or for populating registries running inside of air-gapped environments.

 Differently from other skopeo commands, skopeo sync requires both source and destination transports to be specified separately from _source_ and _destination_.
 One of the problems of prefixing a destination with its transport is that, the registry `docker://hostname:port` would be wrongly interpreted as an image reference at a non-fully qualified registry, with `hostname` and `port` the image name and tag.
@@ -32,7 +29,10 @@ When the `--scoped` option is specified, images are prefixed with the source ima
 name can be stored at _destination_.

 ## OPTIONS
-**--all**
+
+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
+**--all**, **-a**
 If one of the images in __src__ refers to a list of images, instead of copying just the image which matches the current OS and
 architecture (subject to the use of the global --override-os, --override-arch and --override-variant options), attempt to copy all of
 the images in the list, and the list itself.
@@ -50,15 +50,58 @@ Path of the authentication file for the source registry. Uses path given by `--a

 Path of the authentication file for the destination registry. Uses path given by `--authfile`, if not provided.

-**--src** _transport_ Transport for the source repository.
+**--dry-run**

-**--dest** _transport_ Destination transport.
+Run the sync without actually copying data to the destination.
+
+**--src**, **-s** _transport_ Transport for the source repository.
+
+**--dest**, **-d** _transport_ Destination transport.
+
+**--format**, **-f** _manifest-type_ Manifest Type (oci, v2s1, or v2s2) to use when syncing image(s) to a destination (default is manifest type of source, with fallbacks).
+
+**--help**, **-h**
+
+Print usage statement.

 **--scoped** Prefix images with the source image path, so that multiple images with the same name can be stored at _destination_.

+**--append-suffix** _tag-suffix_ String to append to destination tags.
+
+**--digestfile** _path_
+
+After copying the images from source, write the digest of the resulting images along with Image Reference.
+
+```
+sha256:bf91f90823248017a4f920fb541727fa8368dc6cf377a7debbd271cf6a31c8a7 docker://myhost.com/alpine:edge
+sha256:31603596830fc7e56753139f9c2c6bd3759e48a850659506ebfb885d1cf3aef5 docker://myhost.com/postgres:14.3
+
+```
+
+**--preserve-digests**
+
+Preserve the digests during copying. Fail if the digest cannot be preserved.
+
+This option does not change what will be copied; consider using `--all` at the same time.
+
 **--remove-signatures** Do not copy signatures, if any, from _source-image_. This is necessary when copying a signed image to a destination which does not support signatures.

-**--sign-by=**_key-id_ Add a signature using that key ID for an image name corresponding to _destination-image_.
+**--sign-by** _key-id_
+
+Add a “simple signing” signature using that key ID for an image name corresponding to _destination-image_
+
+**--sign-by-sigstore** _param-file_
+
+Add a sigstore signature based on the options in the specified containers sigstore signing parameter file, _param-file_.
+See containers-sigstore-signing-params.yaml(5) for details about the file format.
+
+**--sign-by-sigstore-private-key** _path_
+
+Add a sigstore signature using a private key at _path_ for an image name corresponding to _destination-image_
+
+**--sign-passphrase-file** _path_
+
+The passphare to use when signing with `--sign-by` or `--sign-by-sigstore-private-key`. Only the first line will be read. A passphrase stored in a file is of questionable security if other users can read this file. Do not use this option if at all avoidable.

 **--src-creds** _username[:password]_ for accessing the source registry.

@@ -66,24 +109,51 @@ Path of the authentication file for the destination registry. Uses path given by

 **--src-cert-dir** _path_ Use certificates (*.crt, *.cert, *.key) at _path_ to connect to the source registry or daemon.

-**--src-no-creds** _bool-value_ Access the registry anonymously.
+**--src-no-creds** Access the registry anonymously.

-**--src-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to a container source registry or daemon (defaults to true).
+**--src-tls-verify**=_bool_ Require HTTPS and verify certificates when talking to a container source registry or daemon. Default to source registry entry in registry.conf setting.

 **--dest-cert-dir** _path_ Use certificates (*.crt, *.cert, *.key) at _path_ to connect to the destination registry or daemon.

-**--dest-no-creds** _bool-value_  Access the registry anonymously.
+**--dest-no-creds** Access the registry anonymously.

-**--dest-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to a container destination registry or daemon (defaults to true).
+**--dest-tls-verify**=_bool_ Require HTTPS and verify certificates when talking to a container destination registry or daemon. Default to destination registry entry in registry.conf setting.

 **--src-registry-token** _Bearer token_ for accessing the source registry.

 **--dest-registry-token** _Bearer token_ for accessing the destination registry.

+**--retry-times**
+
+The number of times to retry.
+
+**--retry-delay**
+
+Fixed delay between retries. If not set (or set to 0s), retry wait time will be exponentially increased based on the number of failed attempts.
+
+**--keep-going**
+If any errors occur during copying of images, those errors are logged and the process continues syncing rest of the images and finally fails at the end.
+
+**--src-username**
+
+The username to access the source registry.
+
+**--src-password**
+
+The password to access the source registry.
+
+**--dest-username**
+
+The username to access the destination registry.
+
+**--dest-password**
+
+The password to access the destination registry.
+
 ## EXAMPLES

 ### Synchronizing to a local directory
-```
+```console
 $ skopeo sync --src docker --dest dir registry.example.com/busybox /media/usb
 ```
 Images are located at:
@@ -101,7 +171,7 @@ Images are located at:
 /media/usb/busybox:1-glibc
 ```
 Sync run
-```
+```console
 $ skopeo sync --src dir --dest docker /media/usb/busybox:1-glibc my-registry.local.lan/test/
 ```
 Destination registry content:
@@ -111,7 +181,7 @@ my-registry.local.lan/test/busybox   1-glibc
 ```

 ### Synchronizing to a local directory, scoped
-```
+```console
 $ skopeo sync --src docker --dest dir --scoped registry.example.com/busybox /media/usb
 ```
 Images are located at:
@@ -124,8 +194,8 @@ Images are located at:
 ```

 ### Synchronizing to a container registry
-```
-skopeo sync --src docker --dest docker registry.example.com/busybox my-registry.local.lan
+```console
+$ skopeo sync --src docker --dest docker registry.example.com/busybox my-registry.local.lan
 ```
 Destination registry content:
 ```
@@ -134,8 +204,8 @@ registry.local.lan/busybox   1-glibc, 1-musl, 1-ubuntu, ..., latest
 ```

 ### Synchronizing to a container registry keeping the repository
-```
-skopeo sync --src docker --dest docker registry.example.com/repo/busybox my-registry.local.lan/repo
+```console
+$ skopeo sync --src docker --dest docker registry.example.com/repo/busybox my-registry.local.lan/repo
 ```
 Destination registry content:
 ```
@@ -143,6 +213,16 @@ REPO                              TAGS
 registry.local.lan/repo/busybox   1-glibc, 1-musl, 1-ubuntu, ..., latest
 ```

+### Synchronizing to a container registry with tag suffix
+```console
+$ skopeo sync --src docker --dest docker --append-suffix '-mirror' registry.example.com/busybox my-registry.local.lan
+```
+Destination registry content:
+```
+REPO                         TAGS
+registry.local.lan/busybox   1-glibc-mirror, 1-musl-mirror, 1-ubuntu-mirror, ..., latest-mirror
+```
+
 ### YAML file content (used _source_ for `**--src yaml**`)

 ```yaml
@@ -155,6 +235,8 @@ registry.example.com:
            - "sha256:0000000000000000000000000000000011111111111111111111111111111111"
    images-by-tag-regex:
        nginx: ^1\.13\.[12]-alpine-perl$
+    images-by-semver:
+        alpine: ">= 3.12.0"
    credentials:
        username: john
        password: this is a secret
@@ -167,14 +249,22 @@ quay.io:
            - latest
 ```
 If the yaml filename is `sync.yml`, sync run:
-```
-skopeo sync --src yaml --dest docker sync.yml my-registry.local.lan/repo/
+```console
+$ skopeo sync --src yaml --dest docker sync.yml my-registry.local.lan/repo/
 ```
 This will copy the following images:
 - Repository `registry.example.com/busybox`: all images, as no tags are specified.
 - Repository `registry.example.com/redis`: images tagged "1.0" and "2.0" along with image with digest "sha256:0000000000000000000000000000000011111111111111111111111111111111".
 - Repository `registry.example.com/nginx`: images tagged "1.13.1-alpine-perl" and "1.13.2-alpine-perl".
 - Repository `quay.io/coreos/etcd`: images tagged "latest".
+- Repository `registry.example.com/alpine`: all images with tags match the semantic version constraint ">= 3.12.0" ("3.12.0, "3.12.1", ... ,"4.0.0", ...)
+
+The full list of possible semantic version comparisons can be found in the
+upstream library's documentation:
+https://github.com/Masterminds/semver/tree/v3.2.0#basic-comparisons.
+
+Version ordering and precedence is understood as defined here:
+https://semver.org/#spec-item-11.

 For the registry `registry.example.com`, the "john"/"this is a secret" credentials are used, with server TLS certificates located at `/home/john/certs`.

--- a/docs/skopeo.1.md
+++ b/docs/skopeo.1.md
@@ -47,55 +47,90 @@ Most commands refer to container images, using a _transport_`:`_details_ format.
  **oci-archive:**_path_**:**_tag_
  An image _tag_ in a tar archive compliant with "Open Container Image Layout Specification" at _path_.

-See [containers-transports(5)](https://github.com/containers/image/blob/master/docs/containers-transports.5.md) for details.
+See [containers-transports(5)](https://github.com/containers/image/blob/main/docs/containers-transports.5.md) for details.

 ## OPTIONS

-  **--command-timeout** _duration_ Timeout for the command execution.
+These options should be placed before the subcommand name.
+Individual subcommands have their own options.

-  **--debug** enable debug output
+**--command-timeout** _duration_

-  **--help**|**-h** Show help
+Timeout for the command execution.

-  **--insecure-policy** Adopt an insecure, permissive policy that allows anything. This obviates the need for a policy file.
+**--debug**

-  **--override-arch** _arch_ Use _arch_ instead of the architecture of the machine for choosing images.
+enable debug output

-  **--override-os** _OS_ Use _OS_ instead of the running OS for choosing images.
+**--help**, **-h**

-  **--override-variant** _VARIANT_ Use _VARIANT_ instead of the running architecture variant for choosing images.
+Show help

-  **--policy** _path-to-policy_ Path to a policy.json file to use for verifying signatures and deciding whether an image is trusted, overriding the default trust policy file.
+**--insecure-policy**

-  **--registries.d** _dir_ use registry configuration files in _dir_ (e.g. for container signature storage), overriding the default path.
+Adopt an insecure, permissive policy that allows anything. This obviates the need for a policy file.

-  **--tmpdir** _dir_ used to store temporary files. Defaults to /var/tmp.
+**--override-arch** _arch_

-  **--version**|**-v** print the version number
+Use _arch_ instead of the architecture of the machine for choosing images.
+
+**--override-os** _os_
+
+Use _OS_ instead of the running OS for choosing images.
+
+**--override-variant** _variant_
+
+Use _variant_ instead of the running architecture variant for choosing images.
+
+**--policy** _path-to-policy_
+
+Path to a policy.json file to use for verifying signatures and deciding whether an image is trusted, overriding the default trust policy file.
+
+**--registries.d** _dir_
+
+Use registry configuration files in _dir_ (e.g. for container signature storage), overriding the default path.
+
+**--tmpdir** _dir_
+
+Directory used to store temporary files. Defaults to /var/tmp.
+
+**--version**, **-v**
+
+Print the version number

 ## COMMANDS

 | Command                                   | Description                                                                    |
 | ----------------------------------------- | ------------------------------------------------------------------------------ |
 | [skopeo-copy(1)](skopeo-copy.1.md)        | Copy an image (manifest, filesystem layers, signatures) from one location to another. |
-| [skopeo-delete(1)](skopeo-delete.1.md)    | Mark image-name for deletion.                                                  |
-| [skopeo-inspect(1)](skopeo-inspect.1.md)  | Return low-level information about image-name in a registry.                   |
-| [skopeo-list-tags(1)](skopeo-list-tags.1.md)  | List the tags for the given transport/repository.                           |
+| [skopeo-delete(1)](skopeo-delete.1.md)    | Mark the _image-name_ for later deletion by the registry's garbage collector.  |
+| [skopeo-generate-sigstore-key(1)](skopeo-generate-sigstore-key.1.md)    | Generate a sigstore public/private key pair.  |
+| [skopeo-inspect(1)](skopeo-inspect.1.md)  | Return low-level information about _image-name_ in a registry.                 |
+| [skopeo-list-tags(1)](skopeo-list-tags.1.md)  | List image names in a transport-specific collection of images.|
 | [skopeo-login(1)](skopeo-login.1.md)  | Login to a container registry. |
 | [skopeo-logout(1)](skopeo-logout.1.md)  | Logout of a container registry. |
-| [skopeo-manifest-digest(1)](skopeo-manifest-digest.1.md)    | Compute a manifest digest of manifest-file and write it to standard output.|
-| [skopeo-standalone-sign(1)](skopeo-standalone-sign.1.md)    | Sign an image.                                               |
-| [skopeo-standalone-verify(1)](skopeo-standalone-verify.1.md)| Verify an image.                                             |
-| [skopeo-sync(1)](skopeo-sync.1.md)| Copy images from one or more repositories to a user specified destination.             |
+| [skopeo-manifest-digest(1)](skopeo-manifest-digest.1.md)    | Compute a manifest digest for a manifest-file and write it to standard output. |
+| [skopeo-standalone-sign(1)](skopeo-standalone-sign.1.md)    | Debugging tool - Sign an image locally without uploading.    |
+| [skopeo-standalone-verify(1)](skopeo-standalone-verify.1.md)| Debugging tool - Verify an image signature from local files. |
+| [skopeo-sync(1)](skopeo-sync.1.md)| Synchronize images between registry repositories and local directories.                |
+
+## EXIT STATUS
+`skopeo` exits with status 0 on success, non-zero on error.
+
+Details about the exit statuses:
+
+**1** Generic error, details can be found in the error message.
+
+**2** The input image cannot be found. Note that this is best effort and for remote registries the status often cannot be reliably reported.

 ## FILES
  **/etc/containers/policy.json**
  Default trust policy file, if **--policy** is not specified.
-  The policy format is documented in [containers-policy.json(5)](https://github.com/containers/image/blob/master/docs/containers-policy.json.5.md) .
+  The policy format is documented in [containers-policy.json(5)](https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md) .

  **/etc/containers/registries.d**
  Default directory containing registry configuration, if **--registries.d** is not specified.
-  The contents of this directory are documented in [containers-policy.json(5)](https://github.com/containers/image/blob/master/docs/containers-policy.json.5.md).
+  The contents of this directory are documented in [containers-registries.d(5)](https://github.com/containers/image/blob/main/docs/containers-registries.d.5.md).

 ## SEE ALSO
 skopeo-login(1), docker-login(1), containers-auth.json(5), containers-storage.conf(5), containers-policy.json(5), containers-transports(5)
--- a/docs/skopeo.svg
+++ b/docs/skopeo.svg
@@ -1,546 +1,74 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!-- Created with Inkscape (http://www.inkscape.org/) -->
-
-<svg
-   xmlns:dc="http://purl.org/dc/elements/1.1/"
-   xmlns:cc="http://creativecommons.org/ns#"
-   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
-   xmlns:svg="http://www.w3.org/2000/svg"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:xlink="http://www.w3.org/1999/xlink"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   width="480.61456"
-   height="472.66098"
-   viewBox="0 0 127.1626 125.05822"
-   version="1.1"
-   id="svg8"
-   inkscape:version="0.92.2 5c3e80d, 2017-08-06"
-   sodipodi:docname="skopeo.svg"
-   inkscape:export-filename="/home/duffy/Documents/Projects/Favors/skopeo-logo/skopeo.color.png"
-   inkscape:export-xdpi="90"
-   inkscape:export-ydpi="90">
-  <defs
-     id="defs2">
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84477">
-      <stop
-         style="stop-color:#0093d9;stop-opacity:1"
-         offset="0"
-         id="stop84473" />
-      <stop
-         style="stop-color:#ffffff;stop-opacity:1"
-         offset="1"
-         id="stop84475" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84469">
-      <stop
-         style="stop-color:#f6e6c8;stop-opacity:1"
-         offset="0"
-         id="stop84465" />
-      <stop
-         style="stop-color:#dc9f2e;stop-opacity:1"
-         offset="1"
-         id="stop84467" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84461">
-      <stop
-         style="stop-color:#bfdce8;stop-opacity:1;"
-         offset="0"
-         id="stop84457" />
-      <stop
-         style="stop-color:#2a72ac;stop-opacity:1"
-         offset="1"
-         id="stop84459" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84420">
-      <stop
-         style="stop-color:#a7a9ac;stop-opacity:1;"
-         offset="0"
-         id="stop84416" />
-      <stop
-         style="stop-color:#e7e8e9;stop-opacity:1"
-         offset="1"
-         id="stop84418" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84347">
-      <stop
-         style="stop-color:#2c2d2f;stop-opacity:1;"
-         offset="0"
-         id="stop84343" />
-      <stop
-         style="stop-color:#000000;stop-opacity:1"
-         offset="1"
-         id="stop84345" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84339">
-      <stop
-         style="stop-color:#002442;stop-opacity:1;"
-         offset="0"
-         id="stop84335" />
-      <stop
-         style="stop-color:#151617;stop-opacity:1"
-         offset="1"
-         id="stop84337" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84331">
-      <stop
-         style="stop-color:#003d6e;stop-opacity:1;"
-         offset="0"
-         id="stop84327" />
-      <stop
-         style="stop-color:#59b5ff;stop-opacity:1"
-         offset="1"
-         id="stop84329" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84323">
-      <stop
-         style="stop-color:#dc9f2e;stop-opacity:1;"
-         offset="0"
-         id="stop84319" />
-      <stop
-         style="stop-color:#ffffff;stop-opacity:1"
-         offset="1"
-         id="stop84321" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84323"
-       id="linearGradient84325"
-       x1="221.5741"
-       y1="250.235"
-       x2="219.20772"
-       y2="221.99771"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84331"
-       id="linearGradient84333"
-       x1="223.23239"
-       y1="212.83418"
-       x2="245.52328"
-       y2="129.64345"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84339"
-       id="linearGradient84341"
-       x1="190.36137"
-       y1="217.8925"
-       x2="205.20828"
-       y2="209.32063"
-       gradientUnits="userSpaceOnUse" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84347"
-       id="linearGradient84349"
-       x1="212.05453"
-       y1="215.20055"
-       x2="237.73705"
-       y2="230.02835"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84323"
-       id="linearGradient84363"
-       x1="193.61516"
-       y1="225.045"
-       x2="224.08698"
-       y2="223.54327"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84323"
-       id="linearGradient84377"
-       x1="182.72513"
-       y1="222.54439"
-       x2="184.01024"
-       y2="210.35291"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84420"
-       id="linearGradient84408"
-       x1="211.73801"
-       y1="225.48302"
-       x2="204.24324"
-       y2="238.46432"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84420"
-       id="linearGradient84422"
-       x1="190.931"
-       y1="221.83777"
-       x2="187.53873"
-       y2="229.26593"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84339"
-       id="linearGradient84425"
-       gradientUnits="userSpaceOnUse"
-       x1="190.36137"
-       y1="217.8925"
-       x2="205.20828"
-       y2="209.32063"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84420"
-       id="linearGradient84441"
-       x1="169.95944"
-       y1="215.77036"
-       x2="174.0289"
-       y2="207.81528"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84420"
-       id="linearGradient84455"
-       x1="234.08092"
-       y1="252.39755"
-       x2="245.88477"
-       y2="251.21777"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <radialGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84461"
-       id="radialGradient84463"
-       cx="213.19594"
-       cy="223.40646"
-       fx="214.12064"
-       fy="217.34077"
-       r="33.39888"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="matrix(2.6813748,0.05304973,-0.0423372,2.1399146,-349.74924,-255.6421)" />
-    <radialGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84469"
-       id="radialGradient84471"
-       cx="207.18298"
-       cy="211.06483"
-       fx="207.18298"
-       fy="211.06483"
-       r="2.77954"
-       gradientTransform="matrix(1.4407627,0.18685239,-0.24637721,1.8997405,-38.989952,-218.98841)"
-       gradientUnits="userSpaceOnUse" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84477"
-       id="linearGradient84479"
-       x1="241.60336"
-       y1="255.46982"
-       x2="244.45177"
-       y2="250.4846"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
+<svg width="168.71024mm" height="145.54036mm" viewBox="0 0 168.71024 145.54036" version="1.1" id="svg2674" inkscape:version="1.2 (dc2aedaf03, 2022-05-15)" sodipodi:docname="skopeo-badge-full-vert.svg" inkscape:export-filename="skopeo-badge-full-vert.png" inkscape:export-xdpi="51.86108" inkscape:export-ydpi="51.86108" xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:cc="http://creativecommons.org/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/">
+  <defs id="defs2668">
+    <inkscape:path-effect is_visible="true" id="path-effect10334" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect10336" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect9986" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect9984" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect10300" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect10304" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect124972" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect124976" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect163593" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect163605" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect163611" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect163615" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect163619" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect163629" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect163633" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect163651" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect163655" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect163597" effect="spiro" lpeversion="0"/>
  </defs>
-  <sodipodi:namedview
-     id="base"
-     pagecolor="#ffffff"
-     bordercolor="#666666"
-     borderopacity="1.0"
-     inkscape:pageopacity="0.0"
-     inkscape:pageshadow="2"
-     inkscape:zoom="1"
-     inkscape:cx="517.27113"
-     inkscape:cy="314.79773"
-     inkscape:document-units="mm"
-     inkscape:current-layer="layer1"
-     inkscape:document-rotation="0"
-     showgrid="false"
-     units="px"
-     inkscape:snap-global="false"
-     inkscape:window-width="2560"
-     inkscape:window-height="1376"
-     inkscape:window-x="0"
-     inkscape:window-y="27"
-     inkscape:window-maximized="1"
-     fit-margin-top="0"
-     fit-margin-left="0"
-     fit-margin-right="0"
-     fit-margin-bottom="0" />
-  <metadata
-     id="metadata5">
+  <sodipodi:namedview id="base" pagecolor="#ffffff" bordercolor="#666666" borderopacity="1.0" inkscape:pageopacity="0.0" inkscape:pageshadow="2" inkscape:zoom="0.7" inkscape:cx="399.28571" inkscape:cy="187.14286" inkscape:document-units="mm" inkscape:current-layer="g1208" showgrid="false" fit-margin-top="10" fit-margin-left="10" fit-margin-right="10" fit-margin-bottom="10" inkscape:window-width="2560" inkscape:window-height="1403" inkscape:window-x="0" inkscape:window-y="0" inkscape:window-maximized="1" inkscape:pagecheckerboard="0" inkscape:showpageshadow="2" inkscape:deskcolor="#d1d1d1"/>
+  <metadata id="metadata2671">
    <rdf:RDF>
-      <cc:Work
-         rdf:about="">
+      <cc:Work rdf:about="">
        <dc:format>image/svg+xml</dc:format>
-        <dc:type
-           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
-        <dc:title />
+        <dc:type rdf:resource="http://purl.org/dc/dcmitype/StillImage"/>
      </cc:Work>
    </rdf:RDF>
  </metadata>
-  <g
-     inkscape:label="Layer 1"
-     inkscape:groupmode="layer"
-     id="layer1"
-     transform="translate(-149.15784,-175.92614)">
-    <g
-       id="g84497"
-       style="stroke-width:1.32291663;stroke-miterlimit:4;stroke-dasharray:none"
-       transform="translate(0,10.583333)">
-      <rect
-         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-         id="rect84485"
-         width="31.605196"
-         height="19.16976"
-         x="299.48376"
-         y="87.963303"
-         transform="rotate(30)" />
-      <rect
-         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-         id="rect84487"
-         width="16.725054"
-         height="9.8947001"
-         x="258.07639"
-         y="92.60083"
-         transform="rotate(30)" />
-      <rect
-         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-         id="rect84489"
-         width="4.8383565"
-         height="11.503917"
-         x="253.2236"
-         y="91.796227"
-         transform="rotate(30)" />
-      <rect
-         y="86.859642"
-         x="331.21924"
-         height="21.377089"
-         width="4.521956"
-         id="rect84491"
-         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-         transform="rotate(30)" />
+  <g inkscape:label="Layer 1" inkscape:groupmode="layer" id="layer1" transform="translate(378.90631,201.21016)">
+    <g id="g1208">
+      <g id="g81584" transform="matrix(1.7276536,0,0,1.7276536,-401.82487,-530.26362)" inkscape:export-filename="/home/duffy/Documents/Projects/Favors/skopeo-logo/new skopeo/skopeo-logomark_medium_transparent-bg.png" inkscape:export-xdpi="51.86108" inkscape:export-ydpi="51.86108">
+        <g style="fill:#ffffff;fill-opacity:1;stroke:#3c6eb4;stroke-opacity:1" id="g81528" transform="translate(-734.38295,98.0028)">
+          <path inkscape:connector-curvature="0" style="opacity:1;fill:#ffffff;fill-opacity:1;stroke:#3c6eb4;stroke-width:1.05833;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 796.57913,145.63255 -19.29817,-9.23285 -4.82036,-20.8616 13.2871,-16.780616 21.38926,-0.06408 13.38485,16.701146 -4.69887,20.8897 z" id="path81526"/>
+        </g>
+        <g transform="matrix(0.43729507,0,0,0.43729507,42.235192,80.461942)" id="g81554">
+          <rect style="fill:#b3b3b3;fill-opacity:1;stroke:#808080;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" id="rect81530" width="16.725054" height="9.8947001" x="158.13725" y="255.21965" transform="rotate(30)"/>
+          <rect style="fill:#ffffff;stroke:#000000;stroke-width:1.32292;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6" id="rect81532" width="4.8383565" height="11.503917" x="153.28447" y="254.41505" transform="rotate(30)"/>
+          <path sodipodi:nodetypes="cczc" inkscape:connector-curvature="0" id="path81534" d="m 78.802289,335.54596 -9.111984,15.78242 c 1.40192,0.25963 4.990131,-0.63196 7.869989,-5.61868 2.879866,-4.98671 2.168498,-9.07865 1.241995,-10.16374 z" style="fill:#9dc6e7;fill-opacity:1;stroke:#2a72ac;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1"/>
+          <rect transform="rotate(30)" y="250.58212" x="199.54463" height="19.16976" width="31.605196" id="rect81536" style="fill:#b3b3b3;fill-opacity:1;stroke:#808080;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1"/>
+          <rect transform="rotate(30)" style="fill:#b3b3b3;fill-opacity:1;stroke:#808080;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" id="rect81538" width="16.459545" height="15.252436" x="178.48766" y="252.54079"/>
+          <g style="stroke:#808080;stroke-opacity:1" id="g81548">
+            <rect style="fill:#e1ae4f;fill-opacity:1;stroke:#a1721b;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" id="rect81540" width="4.521956" height="21.377089" x="195.04353" y="249.47847" transform="rotate(30)"/>
+            <rect y="251.64348" x="174.76939" height="17.047071" width="3.617183" id="rect81542" style="fill:#e1ae4f;fill-opacity:1;stroke:#a1721b;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" transform="rotate(30)"/>
+            <rect style="fill:#e1ae4f;fill-opacity:1;stroke:#a1721b;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" id="rect81544" width="4.8383565" height="11.503917" x="153.28447" y="254.41505" transform="rotate(30)"/>
+            <rect y="249.47847" x="231.28011" height="21.377089" width="4.521956" id="rect81546" style="fill:#e1ae4f;fill-opacity:1;stroke:#a1721b;stroke-width:1.81574;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" transform="rotate(30)"/>
+          </g>
+          <path inkscape:connector-curvature="0" id="path81550" d="m 47.691007,322.31629 22.49734,12.98884" style="fill:#ffffff;fill-rule:evenodd;stroke:#ffffff;stroke-width:3.02523;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"/>
+          <path style="fill:#ffffff;fill-rule:evenodd;stroke:#ffffff;stroke-width:3.02523;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 27.886021,312.45704 9.423431,5.07506" id="path81552" inkscape:connector-curvature="0"/>
+        </g>
+        <g transform="matrix(0.43729507,0,0,0.43729507,42.235192,101.28812)" id="g81568">
+          <path style="fill:#2a72ac;fill-opacity:1;stroke:#003e6f;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" d="m 34.507847,231.71327 26.65552,8.43269 21.69622,19.51455 -8.68507,12.39398 -46.04559,-26.61429 z" id="path81556" inkscape:connector-curvature="0" sodipodi:nodetypes="cccccc"/>
+          <path sodipodi:nodetypes="ccccc" inkscape:connector-curvature="0" id="path81558" d="m 28.119527,245.45648 46.0456,26.61429 -3.50256,6.07342 -46.0456,-26.61429 z" style="fill:#808080;fill-opacity:1;stroke:#000000;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6"/>
+          <path style="fill:#4d4d4d;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1.81514;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 24.616967,251.5299 -11.1013,8.29627 c 0,0 6.16202,4.57403 15.2798,4.67656 9.1178,0.1025 11.46925,-3.93799 11.46925,-3.93799 z" id="path81560" inkscape:connector-curvature="0" sodipodi:nodetypes="ccccc"/>
+          <ellipse ry="3.8438656" rx="3.8395541" style="fill:#e1ae4f;fill-opacity:1;stroke:#a1721b;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" id="ellipse81562" cx="39.230743" cy="255.66997"/>
+          <path sodipodi:nodetypes="ccc" style="fill:none;fill-opacity:1;fill-rule:evenodd;stroke:#9dc6e7;stroke-width:1.81514;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 71.999346,266.02935 -8.9307,-5.38071 10.81942,-5.07707" id="path81564" inkscape:connector-curvature="0"/>
+          <path style="fill:none;fill-opacity:1;fill-rule:evenodd;stroke:#9dc6e7;stroke-width:1.81514;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 35.169799,245.57008 10.37702,-6.1817 -7.12581,-2.30459" id="path81566" inkscape:connector-curvature="0" sodipodi:nodetypes="ccc"/>
+        </g>
+        <g style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-opacity:1" id="g81582" transform="translate(0.69195604,69.064926)">
+          <path inkscape:export-ydpi="96.181694" inkscape:export-xdpi="96.181694" sodipodi:nodetypes="cc" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 83.087609,145.72448 -3.6551,1.27991" id="path81570" inkscape:connector-curvature="0" inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png"/>
+          <path inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png" sodipodi:nodetypes="cc" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 51.138114,129.84674 1.971302,3.71206" id="path81572" inkscape:connector-curvature="0" inkscape:export-xdpi="96.181694" inkscape:export-ydpi="96.181694"/>
+          <path inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png" inkscape:connector-curvature="0" id="path81574" d="m 70.63337,129.84674 -2.345479,4.17978" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" sodipodi:nodetypes="cc" inkscape:export-xdpi="96.181694" inkscape:export-ydpi="96.181694"/>
+          <path inkscape:export-ydpi="96.181694" inkscape:export-xdpi="96.181694" sodipodi:nodetypes="cc" inkscape:connector-curvature="0" id="path81576" d="m 61.405599,166.31541 v 5.83669" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png"/>
+          <path inkscape:export-ydpi="96.181694" inkscape:export-xdpi="96.181694" inkscape:connector-curvature="0" id="path81578" d="m 43.729779,164.25283 4.216366,-4.18995" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" sodipodi:nodetypes="cc" inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png"/>
+          <path inkscape:export-ydpi="96.181694" inkscape:export-xdpi="96.181694" sodipodi:nodetypes="cc" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 79.100039,164.25283 -1.50358,-1.57071" id="path81580" inkscape:connector-curvature="0" inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png"/>
+        </g>
+      </g>
+      <text id="text81524" y="-73.044861" x="-363.40085" style="font-style:normal;font-weight:normal;font-size:37.592px;line-height:22.5552px;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#e1ae4f;fill-opacity:1;stroke:none;stroke-width:0.264583px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" xml:space="preserve"><tspan style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-family:Montserrat;-inkscape-font-specification:'Montserrat Medium';fill:#e1ae4f;fill-opacity:1;stroke-width:0.264583px" y="-73.044861" x="-363.40085" id="tspan81522" sodipodi:role="line" dx="0 0 0 0 0 0"><tspan style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-family:Montserrat;-inkscape-font-specification:'Montserrat Medium';fill:#294172;fill-opacity:1" id="tspan81514">sk</tspan><tspan style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-family:Montserrat;-inkscape-font-specification:'Montserrat Medium';fill:#2a72ac;fill-opacity:1" id="tspan81516">o</tspan><tspan style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-family:Montserrat;-inkscape-font-specification:'Montserrat Medium';fill:#294172;fill-opacity:1" id="tspan81518">pe</tspan><tspan style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-family:Montserrat;-inkscape-font-specification:'Montserrat Medium';fill:#2a72ac;fill-opacity:1" id="tspan81520">o</tspan></tspan></text>
    </g>
-    <path
-       style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 246.61693,255.0795 -9.11198,15.78242 a 2.6351497,9.1643514 30 0 0 6.60453,-6.7032 2.6351497,9.1643514 30 0 0 2.50745,-9.07922 z"
-       id="path84483"
-       inkscape:connector-curvature="0" />
-    <path
-       sodipodi:nodetypes="cccccc"
-       inkscape:connector-curvature="0"
-       id="path84481"
-       d="m 202.36709,199.05917 26.65552,8.43269 21.69622,19.51455 -8.68507,12.39398 -46.04559,-26.61429 z"
-       style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952" />
-    <circle
-       style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       id="path84224"
-       cx="213.64427"
-       cy="234.18927"
-       r="35.482784" />
-    <circle
-       r="33.39888"
-       cy="234.18927"
-       cx="213.64427"
-       id="circle84226"
-       style="fill:url(#radialGradient84463);fill-opacity:1;stroke:none;stroke-width:0.52916664;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952" />
-    <rect
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       id="rect84114"
-       width="31.605196"
-       height="19.16976"
-       x="304.77545"
-       y="97.128738"
-       transform="rotate(30)" />
-    <rect
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       id="rect84116"
-       width="4.521956"
-       height="21.377089"
-       x="300.27435"
-       y="96.025078"
-       transform="rotate(30)" />
-    <rect
-       y="99.087395"
-       x="283.71848"
-       height="15.252436"
-       width="16.459545"
-       id="rect84118"
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       transform="rotate(30)" />
-    <rect
-       y="98.190086"
-       x="280.00021"
-       height="17.047071"
-       width="3.617183"
-       id="rect84120"
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       transform="rotate(30)" />
-    <rect
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       id="rect84122"
-       width="16.725054"
-       height="9.8947001"
-       x="263.36807"
-       y="101.76627"
-       transform="rotate(30)" />
-    <rect
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       id="rect84124"
-       width="4.8383565"
-       height="11.503917"
-       x="258.51526"
-       y="100.96166"
-       transform="rotate(30)" />
-    <rect
-       y="96.025078"
-       x="336.51093"
-       height="21.377089"
-       width="4.521956"
-       id="rect84126"
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       transform="rotate(30)" />
-    <path
-       style="fill:url(#linearGradient84325);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 207.24023,252.71811 25.53907,14.74414 8.52539,-14.76953 -25.53711,-14.74415 z"
-       id="rect84313"
-       inkscape:connector-curvature="0" />
-    <path
-       inkscape:connector-curvature="0"
-       id="path84128"
-       d="m 215.3335,241.36799 22.49734,12.98884"
-       style="fill:#ffffff;fill-rule:evenodd;stroke:#000000;stroke-width:0.52916664;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
-    <path
-       inkscape:connector-curvature="0"
-       id="path84130"
-       d="m 246.61693,255.0795 -9.11198,15.78242 a 2.6351497,9.1643514 30 0 0 6.60453,-6.7032 2.6351497,9.1643514 30 0 0 2.50745,-9.07922 z"
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952" />
-    <path
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
-       d="m 195.97877,212.80238 46.0456,26.61429 -3.50256,6.07342 -46.0456,-26.61429 z"
-       id="path84134"
-       inkscape:connector-curvature="0"
-       sodipodi:nodetypes="ccccc" />
-    <path
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
-       d="m 202.36709,199.05917 26.65552,8.43269 21.69622,19.51455 -8.68507,12.39398 -46.04559,-26.61429 z"
-       id="path84136"
-       inkscape:connector-curvature="0"
-       sodipodi:nodetypes="cccccc" />
-    <path
-       style="fill:url(#linearGradient84422);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 186.31445,239.41146 1.30078,0.75 7.46485,-12.92968 -1.30078,-0.75 z"
-       id="rect84410"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84349);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
-       d="m 193.92188,218.48568 44.21289,25.55469 2.44335,-4.23242 -44.21289,-25.55664 z"
-       id="path84284"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84363);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 189.98438,240.4935 12.42187,7.16992 6.56641,-11.375 -12.42188,-7.16992 z"
-       id="rect84351"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84377);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 173.69727,227.99936 12.65234,7.30273 3.88867,-6.73633 -12.65234,-7.30273 z"
-       id="rect84365"
-       inkscape:connector-curvature="0" />
-    <path
-       sodipodi:nodetypes="ccccc"
-       inkscape:connector-curvature="0"
-       id="path84138"
-       d="m 192.47621,218.8758 -11.1013,8.29627 c 0,0 6.16202,4.57403 15.2798,4.67656 9.1178,0.1025 11.46925,-3.93799 11.46925,-3.93799 z"
-       style="fill:#ffffff;fill-rule:evenodd;stroke:#000000;stroke-width:0.79374999;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
-    <ellipse
-       cy="223.01579"
-       cx="207.08998"
-       id="circle84140"
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       rx="3.8395541"
-       ry="3.8438656" />
-    <path
-       style="fill:url(#linearGradient84333);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
-       d="m 197.35938,212.35287 44.36523,25.64453 7.58984,-10.83203 -20.82617,-18.73242 -25.55078,-8.08399 z"
-       id="path84272"
-       inkscape:connector-curvature="0" />
-    <path
-       inkscape:connector-curvature="0"
-       id="path84142"
-       d="m 200.6837,212.37603 11.49279,-6.98413 -8.11935,-2.73742"
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5291667;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
-    <path
-       inkscape:connector-curvature="0"
-       id="path84144"
-       d="m 241.31895,235.3047 -8.04514,-4.75769 10.057,-4.72299"
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5291667;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       sodipodi:nodetypes="ccc" />
-    <path
-       sodipodi:nodetypes="ccc"
-       style="fill:none;fill-rule:evenodd;stroke:#2a72ac;stroke-width:0.52899998;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 241.06868,235.79543 -8.9307,-5.38071 10.81942,-5.07707"
-       id="path84280"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:none;fill-rule:evenodd;stroke:#2a72ac;stroke-width:0.5291667;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 200.60886,211.70589 10.37702,-6.1817 -7.12581,-2.30459"
-       id="path84290"
-       inkscape:connector-curvature="0"
-       sodipodi:nodetypes="ccc" />
-    <path
-       style="fill:url(#radialGradient84471);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 206.89258,220.23959 -0.29297,0.0352 -0.23633,0.0527 -0.26953,0.0898 -0.2793,0.125 -0.23437,0.13477 -0.20508,0.14648 -0.2207,0.19532 -0.18946,0.20117 -0.006,0.008 0.004,-0.008 -0.006,0.01 -0.008,0.01 -0.004,0.004 -0.006,0.006 -0.12109,0.1582 -0.002,0.004 -0.002,0.002 -0.16406,0.26758 -0.12109,0.24804 -0.0996,0.28125 -0.0645,0.24219 -0.0371,0.26367 -0.0176,0.31641 0.008,0.18164 0.0332,0.28711 0.0527,0.23437 0.004,0.0117 0.0937,0.28516 0.11133,0.24805 0.13086,0.23046 0.16992,0.23829 0.1836,0.20898 0.21093,0.19727 0.19532,0.14843 0.25586,0.15625 0.24218,0.11719 0.26172,0.0977 0.27344,0.0684 0.27344,0.043 0.29297,0.0137 0.18164,-0.008 0.29687,-0.0351 0.24024,-0.0547 0.27539,-0.0898 0.24218,-0.10938 0.25,-0.14453 0.23047,-0.16406 0.20899,-0.1836 0.20508,-0.21875 0.125,-0.16406 0.004,-0.006 0.1582,-0.25781 0.004,-0.008 0.12695,-0.26172 0.0996,-0.27344 0.002,-0.006 0.0586,-0.24023 0.0391,-0.26563 0.0176,-0.3125 -0.008,-0.17968 -0.0332,-0.28711 -0.0527,-0.23438 -0.004,-0.0117 -0.0937,-0.28515 -0.11132,-0.24805 -0.13086,-0.23047 -0.16993,-0.23828 -0.18554,-0.20899 -0.19922,-0.18945 -0.21875,-0.16406 -0.23828,-0.14844 -0.26563,-0.12695 -0.01,-0.004 -0.21875,-0.0801 -0.28516,-0.0723 -0.27344,-0.043 -0.29492,-0.0137 z"
-       id="ellipse84292"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84425);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.79374999;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 183.23633,227.10092 c 5.59753,3.20336 12.36881,4.51528 18.71366,3.17108 1.59516,-0.38 3.17489,-0.99021 4.44874,-2.04739 -0.73893,-0.64617 -1.68301,-0.99544 -2.49844,-1.53493 -3.78032,-2.18293 -7.56064,-4.36587 -11.34096,-6.5488 -3.10767,2.32001 -6.21533,4.64003 -9.323,6.96004 z"
-       id="path84298"
-       inkscape:connector-curvature="0"
-       sodipodi:nodetypes="cccccc" />
-    <path
-       style="fill:url(#linearGradient84479);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 238.62695,269.97787 0.006,-0.002 0.39453,-0.27735 0.41797,-0.34179 0.002,-0.002 0.45703,-0.42382 0.47851,-0.49219 0.0156,-0.0176 0.47656,-0.53711 0.002,-0.002 0.0117,-0.0137 0.48438,-0.5918 0.0117,-0.0156 0.49023,-0.64257 0.01,-0.0137 0.49609,-0.69726 0.48047,-0.71875 0.01,-0.0137 0.46485,-0.74805 0.004,-0.008 0.002,-0.002 0.30468,-0.51562 0.008,-0.0117 0.4375,-0.78711 0.40625,-0.77734 0.008,-0.0137 0.37109,-0.77149 0.008,-0.0156 0.33789,-0.75977 0.006,-0.0156 0.30078,-0.73829 0.27148,-0.74609 0.21289,-0.66602 0.17969,-0.66796 v -0.002 l 0.12305,-0.58203 0.002,-0.0137 0.0723,-0.51562 0.0176,-0.31836 z"
-       id="path84379"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84408);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 202.78906,251.42318 2.08399,1.20118 9.6289,-16.67969 -2.08203,-1.20117 z"
-       id="rect84396"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84441);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 169.0918,226.26889 2.35937,1.36133 4.69336,-8.13086 -2.35937,-1.36133 z"
-       id="rect84429"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84455);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 234.17188,269.53842 2.08203,1.20312 9.63086,-16.67773 -2.08399,-1.20313 z"
-       id="rect84443"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:#ffffff;fill-rule:evenodd;stroke:#f8ead2;stroke-width:0.52916664;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 215.55025,240.82707 22.49734,12.98884"
-       id="path84521"
-       inkscape:connector-curvature="0" />
  </g>
 </svg>
--- a/go.mod
+++ b/go.mod
@@ -1,25 +1,139 @@
 module github.com/containers/skopeo

-go 1.12
+// Minimum required golang version
+go 1.22.8
+
+// Warning: Ensure the "go" and "toolchain" versions match exactly to prevent unwanted auto-updates

 require (
-	github.com/containers/common v0.38.12
-	github.com/containers/image/v5 v5.12.0
-	github.com/containers/ocicrypt v1.1.1
-	github.com/containers/storage v1.31.3
-	github.com/docker/docker v20.10.6+incompatible
-	github.com/dsnet/compress v0.0.1 // indirect
-	github.com/go-check/check v0.0.0-20180628173108-788fd7840127
+	github.com/Masterminds/semver/v3 v3.3.1
+	github.com/containers/common v0.62.0
+	github.com/containers/image/v5 v5.34.0
+	github.com/containers/ocicrypt v1.2.1
+	github.com/containers/storage v1.57.1
+	github.com/docker/distribution v2.8.3+incompatible
+	github.com/moby/sys/capability v0.4.0
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6
-	github.com/opencontainers/image-tools v0.0.0-20170926011501-6d941547fa1d
-	github.com/pkg/errors v0.9.1
-	github.com/russross/blackfriday v2.0.0+incompatible // indirect
-	github.com/sirupsen/logrus v1.8.1
-	github.com/spf13/cobra v1.1.3
-	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.7.0
-	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
-	go4.org v0.0.0-20190218023631-ce4c26f7be8e // indirect
-	gopkg.in/yaml.v2 v2.4.0
+	github.com/opencontainers/image-spec v1.1.0
+	github.com/opencontainers/image-tools v1.0.0-rc3
+	github.com/sirupsen/logrus v1.9.3
+	github.com/spf13/cobra v1.8.1
+	github.com/spf13/pflag v1.0.6
+	github.com/stretchr/testify v1.10.0
+	golang.org/x/exp v0.0.0-20250103183323-7d7fa50e5329
+	golang.org/x/term v0.29.0
+	gopkg.in/yaml.v3 v3.0.1
+)
+
+require (
+	dario.cat/mergo v1.0.1 // indirect
+	github.com/BurntSushi/toml v1.4.0 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/Microsoft/hcsshim v0.12.9 // indirect
+	github.com/VividCortex/ewma v1.2.0 // indirect
+	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
+	github.com/containerd/cgroups/v3 v3.0.3 // indirect
+	github.com/containerd/errdefs v0.3.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
+	github.com/containerd/typeurl/v2 v2.2.3 // indirect
+	github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect
+	github.com/coreos/go-oidc/v3 v3.12.0 // indirect
+	github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f // indirect
+	github.com/cyphar/filepath-securejoin v0.3.6 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+	github.com/docker/docker v27.5.1+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.8.2 // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-openapi/analysis v0.23.0 // indirect
+	github.com/go-openapi/errors v0.22.0 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/loads v0.22.0 // indirect
+	github.com/go-openapi/runtime v0.28.0 // indirect
+	github.com/go-openapi/spec v0.21.0 // indirect
+	github.com/go-openapi/strfmt v0.23.0 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/go-openapi/validate v0.24.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/go-containerregistry v0.20.2 // indirect
+	github.com/google/go-intervals v0.0.2 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/gorilla/mux v1.8.1 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.17.11 // indirect
+	github.com/klauspost/pgzip v1.2.6 // indirect
+	github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/mattn/go-sqlite3 v1.14.24 // indirect
+	github.com/miekg/pkcs11 v1.1.1 // indirect
+	github.com/mistifyio/go-zfs/v3 v3.0.1 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/moby/sys/mountinfo v0.7.2 // indirect
+	github.com/moby/sys/user v0.3.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/oklog/ulid v1.3.1 // indirect
+	github.com/opencontainers/runtime-spec v1.2.0 // indirect
+	github.com/opencontainers/selinux v1.11.1 // indirect
+	github.com/opentracing/opentracing-go v1.2.0 // indirect
+	github.com/ostreedev/ostree-go v0.0.0-20210805093236-719684c64e4f // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/proglottis/gpgme v0.1.4 // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/russross/blackfriday v2.0.0+incompatible // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.9.0 // indirect
+	github.com/segmentio/ksuid v1.0.4 // indirect
+	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
+	github.com/sigstore/fulcio v1.6.4 // indirect
+	github.com/sigstore/rekor v1.3.8 // indirect
+	github.com/sigstore/sigstore v1.8.12 // indirect
+	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
+	github.com/smallstep/pkcs7 v0.1.1 // indirect
+	github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6 // indirect
+	github.com/sylabs/sif/v2 v2.20.2 // indirect
+	github.com/tchap/go-patricia/v2 v2.3.2 // indirect
+	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
+	github.com/ulikunitz/xz v0.5.12 // indirect
+	github.com/vbatts/tar-split v0.11.7 // indirect
+	github.com/vbauerster/mpb/v8 v8.9.1 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+	go.mongodb.org/mongo-driver v1.14.0 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect
+	go.opentelemetry.io/otel v1.31.0 // indirect
+	go.opentelemetry.io/otel/metric v1.31.0 // indirect
+	go.opentelemetry.io/otel/trace v1.31.0 // indirect
+	golang.org/x/crypto v0.32.0 // indirect
+	golang.org/x/mod v0.22.0 // indirect
+	golang.org/x/net v0.34.0 // indirect
+	golang.org/x/oauth2 v0.25.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250102185135-69823020774d // indirect
+	google.golang.org/grpc v1.69.4 // indirect
+	google.golang.org/protobuf v1.36.2 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/hack/btrfs_installed_tag.sh
+++ b/hack/btrfs_installed_tag.sh
@@ -1,5 +1,5 @@
-#!/bin/bash
-cc -E - > /dev/null 2> /dev/null << EOF
+#!/usr/bin/env bash
+${CPP:-${CC:-cc} -E} ${CPPFLAGS} - > /dev/null 2> /dev/null << EOF
 #include <btrfs/ioctl.h>
 EOF
 if test $? -ne 0 ; then
--- a/hack/btrfs_tag.sh
+++ b/hack/btrfs_tag.sh
@@ -1,5 +1,5 @@
-#!/bin/bash
-cc -E - > /dev/null 2> /dev/null << EOF
+#!/usr/bin/env bash
+${CPP:-${CC:-cc} -E} ${CPPFLAGS} - > /dev/null 2> /dev/null << EOF
 #include <btrfs/version.h>
 EOF
 if test $? -ne 0 ; then
--- a/hack/get_ci_vm.sh
+++ b/hack/get_ci_vm.sh
@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+
+#
+# For help and usage information, simply execute the script w/o any arguments.
+#
+# This script is intended to be run by Red Hat skopeo developers who need
+# to debug problems specifically related to Cirrus-CI automated testing.
+# It requires that you have been granted prior access to create VMs in
+# google-cloud.  For non-Red Hat contributors, VMs are available as-needed,
+# with supervision upon request.
+
+set -e
+
+SCRIPT_FILEPATH=$(realpath "${BASH_SOURCE[0]}")
+SCRIPT_DIRPATH=$(dirname "$SCRIPT_FILEPATH")
+REPO_DIRPATH=$(realpath "$SCRIPT_DIRPATH/../")
+
+# Help detect if we were called by get_ci_vm container
+GET_CI_VM="${GET_CI_VM:-0}"
+in_get_ci_vm() {
+    if ((GET_CI_VM==0)); then
+        echo "Error: $1 is not intended for use in this context"
+        exit 2
+    fi
+}
+
+# get_ci_vm APIv1 container entrypoint calls into this script
+# to obtain required repo. specific configuration options.
+if [[ "$1" == "--config" ]]; then
+    in_get_ci_vm "$1"
+    cat <<EOF
+DESTDIR="/var/tmp/go/src/github.com/containers/skopeo"
+UPSTREAM_REPO="https://github.com/containers/skopeo.git"
+GCLOUD_PROJECT="skopeo"
+GCLOUD_IMGPROJECT="libpod-218412"
+GCLOUD_CFG="skopeo"
+GCLOUD_ZONE="${GCLOUD_ZONE:-us-central1-f}"
+GCLOUD_CPUS="2"
+GCLOUD_MEMORY="4Gb"
+GCLOUD_DISK="200"
+EOF
+elif [[ "$1" == "--setup" ]]; then
+    in_get_ci_vm "$1"
+    # get_ci_vm container entrypoint calls us with this option on the
+    # Cirrus-CI environment instance, to perform repo.-specific setup.
+    echo "+ Executing setup" > /dev/stderr
+    ${GOSRC}/${SCRIPT_BASE}/runner.sh setup
+else
+    # Create and access VM for specified Cirrus-CI task
+    mkdir -p $HOME/.config/gcloud/ssh
+    podman run -it --rm \
+        --tz=local \
+        -e NAME="$USER" \
+        -e SRCDIR=/src \
+        -e GCLOUD_ZONE="$GCLOUD_ZONE" \
+        -e DEBUG="${DEBUG:-0}" \
+        -v $REPO_DIRPATH:/src:O \
+        -v $HOME/.config/gcloud:/root/.config/gcloud:z \
+        -v $HOME/.config/gcloud/ssh:/root/.ssh:z \
+        quay.io/libpod/get_ci_vm:latest "$@"
+fi
--- a/hack/get_fqin.sh
+++ b/hack/get_fqin.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+# This script is intended to be called from the Makefile.  It's purpose
+# is to automation correspondence between the environment used for local
+# development and CI.
+
+set -e
+
+SCRIPT_FILEPATH=$(realpath "${BASH_SOURCE[0]}")
+SCRIPT_DIRPATH=$(dirname "$SCRIPT_FILEPATH")
+REPO_DIRPATH=$(realpath "$SCRIPT_DIRPATH/../")
+
+# When running under CI, we already have the necessary information,
+# simply provide it to the Makefile.
+if [[ -n "$SKOPEO_CIDEV_CONTAINER_FQIN" ]]; then
+    echo "$SKOPEO_CIDEV_CONTAINER_FQIN"
+    exit 0
+fi
+
+if [[ -n $(command -v podman) ]]; then CONTAINER_RUNTIME=podman; fi
+CONTAINER_RUNTIME=${CONTAINER_RUNTIME:-docker}
+
+# Borrow the get_ci_vm container image since it's small, and
+# by necessity contains a script that can accurately interpret
+# env. var. values from any .cirrus.yml runtime context.
+$CONTAINER_RUNTIME run --rm \
+    --security-opt label=disable \
+    -v $REPO_DIRPATH:/src:ro \
+    --entrypoint=/usr/share/automation/bin/cirrus-ci_env.py \
+    quay.io/libpod/get_ci_vm:latest \
+    --envs="Skopeo Test" /src/.cirrus.yml | \
+    grep -E -m1 '^SKOPEO_CIDEV_CONTAINER_FQIN' | \
+    awk -F "=" -e '{print $2}' | \
+    tr -d \'\"
--- a/hack/libdm_tag.sh
+++ b/hack/libdm_tag.sh
@@ -1,14 +0,0 @@
-#!/bin/bash
-tmpdir="$PWD/tmp.$RANDOM"
-mkdir -p "$tmpdir"
-trap 'rm -fr "$tmpdir"' EXIT
-cc -c -o "$tmpdir"/libdm_tag.o -x c - > /dev/null 2> /dev/null << EOF
-#include <libdevmapper.h>
-int main() {
-	struct dm_task *task;
-	return 0;
-}
-EOF
-if test $? -ne 0 ; then
-	echo libdm_no_deferred_remove
-fi
--- a/hack/libsubid_tag.sh
+++ b/hack/libsubid_tag.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+if test $(${GO:-go} env GOOS) != "linux" ; then
+	exit 0
+fi
+tmpdir="$PWD/tmp.$RANDOM"
+mkdir -p "$tmpdir"
+trap 'rm -fr "$tmpdir"' EXIT
+${CC:-cc} ${CPPFLAGS} ${CFLAGS} -o "$tmpdir"/libsubid_tag -x c - -l subid \
+	  > /dev/null 2> /dev/null << EOF
+#include <shadow/subid.h>
+#include <stdlib.h>
+int main() {
+	struct subid_range *ranges = NULL;
+#if SUBID_ABI_MAJOR >= 4
+	subid_get_uid_ranges("root", &ranges);
+#else
+	get_subuid_ranges("root", &ranges);
+#endif
+	free(ranges);
+	return 0;
+}
+EOF
+if test $? -eq 0 ; then
+	echo libsubid
+fi
--- a/hack/make.sh
+++ b/hack/make.sh
@@ -1,108 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-# This script builds various binary from a checkout of the skopeo
-# source code.
-#
-# Requirements:
-# - The current directory should be a checkout of the skopeo source code
-#   (https://github.com/containers/skopeo). Whatever version is checked out
-#   will be built.
-# - The script is intended to be run inside the docker container specified
-#   in the Dockerfile at the root of the source. In other words:
-#   DO NOT CALL THIS SCRIPT DIRECTLY.
-# - The right way to call this script is to invoke "make" from
-#   your checkout of the skopeo repository.
-#   the Makefile will do a "docker build -t skopeo ." and then
-#   "docker run hack/make.sh" in the resulting image.
-#
-
-set -o pipefail
-
-export SKOPEO_PKG='github.com/containers/skopeo'
-export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-export MAKEDIR="$SCRIPTDIR/make"
-
-# We're a nice, sexy, little shell script, and people might try to run us;
-# but really, they shouldn't. We want to be in a container!
-inContainer="AssumeSoInitially"
-if [ "$PWD" != "/go/src/$SKOPEO_PKG" ]; then
-	unset inContainer
-fi
-
-if [ -z "$inContainer" ]; then
-	{
-		echo "# WARNING! I don't seem to be running in a Docker container."
-		echo "# The result of this command might be an incorrect build, and will not be"
-		echo "# officially supported."
-		echo "#"
-		echo "# Try this instead: make all"
-		echo "#"
-	} >&2
-fi
-
-echo
-
-# List of bundles to create when no argument is passed
-# TODO(runcom): these are the one left from Docker...for now
-# test-unit
-# validate-dco
-# cover
-DEFAULT_BUNDLES=(
-	validate-gofmt
-	validate-lint
-	validate-vet
-	validate-git-marks
-
-	test-integration
-)
-
-TESTFLAGS+=" -test.timeout=15m"
-
-# Go module support: set `-mod=vendor` to use the vendored sources
-# See also the top-level Makefile.
-mod_vendor=
-if go help mod >/dev/null 2>&1; then
-  export GO111MODULE=on
-  mod_vendor='-mod=vendor'
-fi
-
-# If $TESTFLAGS is set in the environment, it is passed as extra arguments to 'go test'.
-# You can use this to select certain tests to run, eg.
-#
-#     TESTFLAGS='-test.run ^TestBuild$' ./hack/make.sh test-unit
-#
-# For integration-cli test, we use [gocheck](https://labix.org/gocheck), if you want
-# to run certain tests on your local host, you should run with command:
-#
-#     TESTFLAGS='-check.f DockerSuite.TestBuild*' ./hack/make.sh binary test-integration-cli
-#
-go_test_dir() {
-	dir=$1
-	(
-		echo '+ go test' $mod_vendor $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"} "${SKOPEO_PKG}${dir#.}"
-		cd "$dir"
-		export DEST="$ABS_DEST" # we're in a subshell, so this is safe -- our integration-cli tests need DEST, and "cd" screws it up
-		go test $mod_vendor $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"}
-	)
-}
-
-bundle() {
-	local bundle="$1"; shift
-	echo "---> Making bundle: $(basename "$bundle")"
-	source "$SCRIPTDIR/make/$bundle" "$@"
-}
-
-main() {
-	if [ $# -lt 1 ]; then
-		bundles=(${DEFAULT_BUNDLES[@]})
-	else
-		bundles=($@)
-	fi
-	for bundle in ${bundles[@]}; do
-		bundle "$bundle"
-		echo
-	done
-}
-
-main "$@"
--- a/hack/make/.validate
+++ b/hack/make/.validate
@@ -1,31 +0,0 @@
-#!/bin/bash
-
-if [ -z "$VALIDATE_UPSTREAM" ]; then
-	# this is kind of an expensive check, so let's not do this twice if we
-	# are running more than one validate bundlescript
-	
-	VALIDATE_REPO='https://github.com/containers/skopeo.git'
-	VALIDATE_BRANCH='master'
-	
-	if [ "$TRAVIS" = 'true' -a "$TRAVIS_PULL_REQUEST" != 'false' ]; then
-		VALIDATE_REPO="https://github.com/${TRAVIS_REPO_SLUG}.git"
-		VALIDATE_BRANCH="${TRAVIS_BRANCH}"
-	fi
-	
-	VALIDATE_HEAD="$(git rev-parse --verify HEAD)"
-	
-	git fetch -q "$VALIDATE_REPO" "refs/heads/$VALIDATE_BRANCH"
-	VALIDATE_UPSTREAM="$(git rev-parse --verify FETCH_HEAD)"
-	
-	VALIDATE_COMMIT_LOG="$VALIDATE_UPSTREAM..$VALIDATE_HEAD"
-	VALIDATE_COMMIT_DIFF="$VALIDATE_UPSTREAM...$VALIDATE_HEAD"
-	
-	validate_diff() {
-		git diff "$VALIDATE_UPSTREAM" "$@"
-	}
-	validate_log() {
-		if [ "$VALIDATE_UPSTREAM" != "$VALIDATE_HEAD" ]; then
-			git log "$VALIDATE_COMMIT_LOG" "$@"
-		fi
-	}
-fi
--- a/hack/make/test-integration
+++ b/hack/make/test-integration
@@ -1,14 +0,0 @@
-#!/bin/bash
-set -e
-
-bundle_test_integration() {
-	TESTFLAGS="$TESTFLAGS -check.v"
-	go_test_dir ./integration
-}
-
-# subshell so that we can export PATH without breaking other things
-(
-	make bin/skopeo ${BUILDTAGS:+BUILDTAGS="$BUILDTAGS"}
-	make install
-	bundle_test_integration
-) 2>&1
--- a/hack/make/test-system
+++ b/hack/make/test-system
@@ -1,18 +0,0 @@
-#!/bin/bash
-set -e
-
-# Before running podman for the first time, make sure
-# to set storage to vfs (not overlay): podman-in-podman
-# doesn't work with overlay. And, disable mountopt,
-# which causes error with vfs.
-sed -i \
-    -e 's/^driver\s*=.*/driver = "vfs"/' \
-    -e 's/^mountopt/#mountopt/' \
-    /etc/containers/storage.conf
-
-# Build skopeo, install into /usr/bin
-make bin/skopeo ${BUILDTAGS:+BUILDTAGS="$BUILDTAGS"}
-make install
-
-# Run tests
-SKOPEO_BINARY=/usr/bin/skopeo bats --tap systemtest
--- a/hack/make/validate-git-marks
+++ b/hack/make/validate-git-marks
@@ -1,44 +0,0 @@
-#!/usr/bin/env bash
-
-source "$(dirname "$BASH_SOURCE")/.validate"
-
-# folders=$(find * -type d | egrep -v '^Godeps|bundles|.git')
-
-IFS=$'\n'
-files=( $(validate_diff --diff-filter=ACMR --name-only -- '*' | grep -v '^vendor/' || true) )
-unset IFS
-
-badFiles=()
-for f in "${files[@]}"; do
-    if [ $(grep -r "^<<<<<<<" $f) ]; then
-        badFiles+=( "$f" )
-        continue
-    fi
-
-    if [ $(grep -r "^>>>>>>>" $f) ]; then
-        badFiles+=( "$f" )
-        continue
-    fi
-
-    if [ $(grep -r "^=======$" $f) ]; then
-        badFiles+=( "$f" )
-        continue
-    fi
-    set -e
-done
-
-
-if [ ${#badFiles[@]} -eq 0 ]; then
-	echo 'Congratulations!  There is no conflict.'
-else
-	{
-		echo "There is trace of conflict(s) in the following files :"
-		for f in "${badFiles[@]}"; do
-			echo " - $f"
-		done
-		echo
-		echo 'Please fix the conflict(s) commit the result.'
-		echo
-	} >&2
-	false
-fi
--- a/hack/make/validate-gofmt
+++ b/hack/make/validate-gofmt
@@ -1,29 +0,0 @@
-#!/bin/bash
-
-source "$(dirname "$BASH_SOURCE")/.validate"
-
-IFS=$'\n'
-files=( $(validate_diff --diff-filter=ACMR --name-only -- '*.go' | grep -v '^vendor/' || true) )
-unset IFS
-
-badFiles=()
-for f in "${files[@]}"; do
-	if [ "$(gofmt -s -l < $f)" ]; then
-		badFiles+=( "$f" )
-	fi
-done
-
-if [ ${#badFiles[@]} -eq 0 ]; then
-	echo 'Congratulations!  All Go source files are properly formatted.'
-else
-	{
-		echo "These files are not properly gofmt'd:"
-		for f in "${badFiles[@]}"; do
-			echo " - $f"
-		done
-		echo
-		echo 'Please reformat the above files using "gofmt -s -w" and commit the result.'
-		echo
-	} >&2
-	false
-fi
--- a/hack/make/validate-lint
+++ b/hack/make/validate-lint
@@ -1,33 +0,0 @@
-#!/bin/bash
-
-source "$(dirname "$BASH_SOURCE")/.validate"
-
-# We will eventually get to the point where packages should be the complete list
-# of subpackages, vendoring excluded, as given by:
-#
-IFS=$'\n'
-files=( $(validate_diff --diff-filter=ACMR --name-only -- '*.go' | grep -v '^vendor/\|^integration' || true) )
-unset IFS
-
-errors=()
-for f in "${files[@]}"; do
-	failedLint=$(golint "$f")
-	if [ "$failedLint" ]; then
-		errors+=( "$failedLint" )
-	fi
-done
-
-if [ ${#errors[@]} -eq 0 ]; then
-	echo 'Congratulations!  All Go source files have been linted.'
-else
-	{
-		echo "Errors from golint:"
-		for err in "${errors[@]}"; do
-			echo "$err"
-		done
-		echo
-		echo 'Please fix the above errors. You can test via "golint" and commit the result.'
-		echo
-	} >&2
-	false
-fi
--- a/hack/make/validate-vet
+++ b/hack/make/validate-vet
@@ -1,16 +0,0 @@
-#!/bin/bash
-
-errors=$(go vet $mod_vendor $(go list $mod_vendor -e ./...))
-
-if [ -z "$errors" ]; then
-	echo 'Congratulations!  All Go source files have been vetted.'
-else
-	{
-		echo "Errors from go vet:"
-		echo "$errors"
-		echo
-		echo 'Please fix the above errors. You can test via "go vet" and commit the result.'
-		echo
-	} >&2
-	false
-fi
--- a/hack/man-page-checker
+++ b/hack/man-page-checker
@@ -0,0 +1,150 @@
+#!/usr/bin/env bash
+#
+# man-page-checker - validate and cross-reference man page names
+#
+# This is the script that cross-checks BETWEEN MAN PAGES. It is not the
+# script that cross-checks that each option in skopeo foo --help is listed
+# in skopeo-foo.1.md and vice-versa; that one is xref-helpmsgs-manpages.
+#
+
+verbose=
+for i; do
+    case "$i" in
+        -v|--verbose)   verbose=verbose ;;
+    esac
+done
+
+
+die() {
+    echo "$(basename $0): $*" >&2
+    exit 1
+}
+
+cd $(dirname $0)/../docs || die "Please run me from top-level skopeo dir"
+
+rc=0
+
+# Pass 1: cross-check file names with NAME section
+#
+# for a given skopeo-foo.1.md, the NAME should be 'skopeo-foo'
+for md in *.1.md;do
+    # Read the first line after '## NAME'
+    name=$(grep -E -A1 '^## NAME' $md|tail -1|awk '{print $1}' | tr -d \\\\)
+
+    expect=$(basename $md .1.md)
+    if [ "$name" != "$expect" ]; then
+        echo
+        printf "Inconsistent program NAME in %s:\n" $md
+        printf "  NAME= %s  (expected: %s)\n" $name $expect
+        rc=1
+    fi
+done
+
+# Pass 2: compare descriptions.
+#
+# Make sure the descriptive text in skopeo-foo.1.md matches the one
+# in the table in skopeo.1.md.
+for md in $(ls -1 *-*.1.md);do
+    desc=$(grep -E -A1 '^## NAME' $md|tail -1|sed -E -e 's/^skopeo[^[:space:]]+ - //')
+
+    # Find the descriptive text in the main skopeo man page.
+    parent=skopeo.1.md
+    parent_desc=$(grep $md $parent | awk -F'|' '{print $3}' | sed -E -e 's/^[[:space:]]+//' -e 's/[[:space:]]+$//')
+
+    if [ "$desc" != "$parent_desc" ]; then
+        echo
+        printf "Inconsistent subcommand descriptions:\n"
+        printf "  %-32s = '%s'\n" $md "$desc"
+        printf "  %-32s = '%s'\n" $parent "$parent_desc"
+        printf "Please ensure that the NAME section of $md\n"
+        printf "matches the subcommand description in $parent\n"
+        rc=1
+    fi
+done
+
+# Helper function: compares man page synopsis vs --help usage message
+function compare_usage() {
+    local cmd="$1"
+    local from_man="$2"
+
+    # Run 'cmd --help', grab the line immediately after 'Usage:'
+    local help_output=$(../bin/$cmd --help)
+    local from_help=$(echo "$help_output" | grep -A1 '^Usage:' | tail -1)
+
+    # strip off command name from both
+    from_man=$(sed -E -e "s/\*\*$cmd\*\*[[:space:]]*//" <<<"$from_man")
+    from_help=$(sed -E -e "s/^[[:space:]]*$cmd[[:space:]]*//" <<<"$from_help")
+
+    # man page lists 'foo [*options*]', help msg shows 'foo [command options]'.
+    # Make sure if one has it, the other does too.
+    if expr "$from_man" : "\[\*options\*\]" >/dev/null; then
+        if expr "$from_help" : "\[command options\]" >/dev/null; then
+            :
+        else
+            echo "WARNING: $cmd: man page shows '[*options*]', help does not show [command options]"
+            rc=1
+       fi
+    elif expr "$from_help" : "\[command options\]" >/dev/null; then
+        echo "WARNING: $cmd: --help shows [command options], man page does not show [*options*]"
+        rc=1
+    fi
+
+    # Strip off options and flags; start comparing arguments
+    from_man=$(sed  -E -e 's/^\[\*options\*\][[:space:]]*//' <<<"$from_man")
+    from_help=$(sed -E -e 's/^\[command options\][[:space:]]*//'      <<<"$from_help")
+
+    # Constant strings in man page are '**foo**', in --help are 'foo'.
+    from_man=$(sed -E -e 's/\*\*([^*]+)\*\*/\1/g' <<<"$from_man")
+
+    # Args in man page are '_foo_', in --help are 'FOO'. Convert all to
+    # UPCASE simply because it stands out better to the eye.
+    from_man=$(sed -E -e 's/_([a-z-]+)_/\U\1/g' <<<"$from_man")
+
+    # Compare man-page and --help usage strings. Skip 'skopeo' itself,
+    # because the man page includes '[global options]' which we don't grok.
+    if [[ "$from_man" != "$from_help" && "$cmd" != "skopeo" ]]; then
+        printf "%-25s man='%s' help='%s'\n" "$cmd:" "$from_man" "$from_help"
+        rc=1
+    fi
+}
+
+# Pass 3: compare synopses.
+#
+# Make sure the SYNOPSIS line in skopeo-foo.1.md reads '**skopeo foo** ...'
+for md in *.1.md;do
+    synopsis=$(grep -E -A1 '^#* SYNOPSIS' $md|tail -1)
+
+    # Command name must be bracketed by double asterisks; options and
+    # arguments are bracketed by single ones.
+    #   E.g. '**skopeo copy** [*options*] _..._'
+    # Get the command name, and confirm that it matches the md file name.
+    cmd=$(echo "$synopsis" | sed -E -e 's/^\*\*([^*]+)\*\*.*/\1/' | tr -d \*)
+    # Use sed, not tr, so we only replace the first dash: we want
+    # skopeo-list-tags -> "skopeo list-tags", not "skopeo list tags"
+    md_nodash=$(basename "$md" .1.md | sed -e 's/-/ /')
+    if [ "$cmd" != "$md_nodash" ]; then
+        echo
+        printf "Inconsistent program name in SYNOPSIS in %s:\n" $md
+        printf "  SYNOPSIS = %s (expected: '%s')\n" "$cmd" "$md_nodash"
+        rc=1
+    fi
+
+    # The convention is to use UPPER CASE in 'skopeo foo --help',
+    # but *lower case bracketed by asterisks* in the man page
+    if expr "$synopsis" : ".*[A-Z]" >/dev/null; then
+        echo
+        printf "Inconsistent capitalization in SYNOPSIS in %s\n" $md
+        printf "  '%s' should not contain upper-case characters\n" "$synopsis"
+        rc=1
+    fi
+
+    # (for debugging, and getting a sense of standard conventions)
+    #printf "  %-32s ------ '%s'\n" $md "$synopsis"
+
+    # If bin/skopeo is available, run "cmd --help" and compare Usage
+    # messages. This is complicated, so do it in a helper function.
+    compare_usage "$md_nodash" "$synopsis"
+done
+
+
+exit $rc
--- a/hack/test-integration.sh
+++ b/hack/test-integration.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+set -e
+
+make PREFIX=/usr install
+
+echo "cd ./integration;" go test $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"}
+cd ./integration
+go test $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"}
--- a/hack/test-system.sh
+++ b/hack/test-system.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+set -e
+
+# These tests can run in/outside of a container.  However,
+# not all storage drivers are supported in a container
+# environment.  Detect this and setup storage when
+# running in a container.
+#
+# Paradoxically (FIXME: clean this up), SKOPEO_CONTAINER_TESTS is set
+# both inside a container and without a container (in a CI VM); it actually means
+# "it is safe to destructively modify the system for tests".
+#
+# On a CI VM, we can just use Podman as it is already configured; the changes below,
+# to use VFS, are necessary only inside a container, because overlay-inside-overlay
+# does not work. So, make these changes conditional on both
+# SKOPEO_CONTAINER_TESTS (for acceptability to do destructive modification) and !CI
+# (for necessity to adjust for in-container operation)
+if ((SKOPEO_CONTAINER_TESTS)) && [[ "$CI" != true ]]; then
+    if [[ -r /etc/containers/storage.conf ]]; then
+        echo "MODIFYING existing storage.conf"
+        sed -i \
+            -e 's/^driver\s*=.*/driver = "vfs"/' \
+            -e 's/^mountopt/#mountopt/' \
+            /etc/containers/storage.conf
+    else
+        echo "CREATING NEW storage.conf"
+        cat >> /etc/containers/storage.conf << EOF
+[storage]
+driver = "vfs"
+runroot = "/run/containers/storage"
+graphroot = "/var/lib/containers/storage"
+EOF
+    fi
+    # The logic of finding the relevant storage.conf file is convoluted
+    # and in effect differs between Skopeo and Podman, at least in some versions;
+    # explicitly point at the file we want to use to hopefully avoid that.
+    export CONTAINERS_STORAGE_CONF=/etc/containers/storage.conf
+fi
+
+# Build skopeo, install into /usr/bin
+make PREFIX=/usr install
+
+# Run tests
+SKOPEO_BINARY=/usr/bin/skopeo bats --tap systemtest
--- a/hack/travis_osx.sh
+++ b/hack/travis_osx.sh
@@ -1,17 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-export GOPATH=$(pwd)/_gopath
-export PATH=$GOPATH/bin:$PATH
-
-_containers="${GOPATH}/src/github.com/containers"
-mkdir -vp ${_containers}
-ln -vsf $(pwd) ${_containers}/skopeo
-
-go version
-GO111MODULE=off go get -u github.com/cpuguy83/go-md2man golang.org/x/lint/golint
-
-cd ${_containers}/skopeo
-make validate-local test-unit-local bin/skopeo
-sudo make install
-skopeo -v
--- a/hack/tree_status.sh
+++ b/hack/tree_status.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 set -e

 STATUS=$(git status --porcelain)
--- a/hack/validate-git-marks.sh
+++ b/hack/validate-git-marks.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+IFS=$'\n'
+files=( $(git ls-tree -r HEAD --name-only | grep -v '^vendor/' || true) )
+unset IFS
+
+badFiles=()
+for f in "${files[@]}"; do
+    if [ $(grep -r "^\(<<<<<<<\|>>>>>>>\|^=======$\)" $f) ]; then
+        badFiles+=( "$f" )
+        continue
+    fi
+    set -e
+done
+
+
+if [ ${#badFiles[@]} -eq 0 ]; then
+	echo 'Congratulations!  There is no conflict.'
+else
+	{
+		echo "There is trace of conflict(s) in the following files :"
+		for f in "${badFiles[@]}"; do
+			echo " - $f"
+		done
+		echo
+		echo 'Please fix the conflict(s) commit the result.'
+		echo
+	} >&2
+	exit 1
+fi
--- a/hack/validate-gofmt.sh
+++ b/hack/validate-gofmt.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+IFS=$'\n'
+files=( $(find . -name '*.go' | grep -v '^./vendor/' | sort || true) )
+unset IFS
+
+badFiles=()
+for f in "${files[@]}"; do
+	if [ "$(gofmt -s -l < $f)" ]; then
+		badFiles+=( "$f" )
+	fi
+done
+
+if [ ${#badFiles[@]} -eq 0 ]; then
+	echo 'Congratulations!  All Go source files are properly formatted.'
+else
+	{
+		echo "These files are not properly gofmt'd:"
+		for f in "${badFiles[@]}"; do
+			echo " - $f"
+		done
+		echo
+		echo 'Please reformat the above files using "gofmt -s -w" and commit the result.'
+		echo
+	} >&2
+	exit 1
+fi
--- a/hack/validate-lint.sh
+++ b/hack/validate-lint.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+errors=$($GOBIN/golangci-lint run --build-tags "${BUILDTAGS}" 2>&1)
+
+if [ -z "$errors" ]; then
+	echo 'Congratulations!  All Go source files have been linted.'
+else
+	{
+		echo "Errors from golangci-lint:"
+		echo "$errors"
+		echo
+		echo 'Please fix the above errors. You can test via "golangci-lint" and commit the result.'
+		echo
+	} >&2
+	exit 1
+fi
--- a/hack/validate-vet.sh
+++ b/hack/validate-vet.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+errors=$(go vet -tags="${BUILDTAGS}" ./... 2>&1)
+
+if [ -z "$errors" ]; then
+	echo 'Congratulations!  All Go source files have been vetted.'
+else
+	{
+		echo "Errors from go vet:"
+		echo "$errors"
+		echo
+		echo 'Please fix the above errors. You can test via "go vet" and commit the result.'
+		echo
+	} >&2
+	exit 1
+fi
--- a/hack/warn-destructive-tests.sh
+++ b/hack/warn-destructive-tests.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+set -e
+
+# Set this to 1 to enable installation/modification of environment/services
+export SKOPEO_CONTAINER_TESTS=${SKOPEO_CONTAINER_TESTS:-0}
+
+if [[ "$SKOPEO_CONTAINER_TESTS" == "0" ]] && [[ "$CI" != "true" ]]; then
+    (
+    echo "***************************************************************"
+    echo "WARNING: Executing tests directly on the local development"
+    echo "         host is highly discouraged.  Many important items"
+    echo "         will be skipped.  For manual execution, please utilize"
+    echo "         the Makefile targets WITHOUT the '-local' suffix."
+    echo "***************************************************************"
+    ) > /dev/stderr
+    sleep 5
+fi
--- a/hack/xref-helpmsgs-manpages
+++ b/hack/xref-helpmsgs-manpages
@@ -0,0 +1,277 @@
+#!/usr/bin/perl
+#
+# xref-helpmsgs-manpages - cross-reference --help options against man pages
+#
+package LibPod::CI::XrefHelpmsgsManpages;
+
+use v5.14;
+use utf8;
+
+use strict;
+use warnings;
+
+(our $ME = $0) =~ s|.*/||;
+our $VERSION = '0.1';
+
+# For debugging, show data structures using DumpTree($var)
+#use Data::TreeDumper; $Data::TreeDumper::Displayaddress = 0;
+
+# unbuffer output
+$| = 1;
+
+###############################################################################
+# BEGIN user-customizable section
+
+# Path to skopeo executable
+my $Default_Skopeo = './bin/skopeo';
+my $SKOPEO = $ENV{SKOPEO} || $Default_Skopeo;
+
+# Path to all doc files (markdown)
+my $Docs_Path = 'docs';
+
+# Global error count
+my $Errs = 0;
+
+# END   user-customizable section
+###############################################################################
+
+###############################################################################
+# BEGIN boilerplate args checking, usage messages
+
+sub usage {
+    print  <<"END_USAGE";
+Usage: $ME [OPTIONS]
+
+$ME recursively runs 'skopeo --help' against
+all subcommands; and recursively reads skopeo-*.1.md files
+in $Docs_Path, then cross-references that each --help
+option is listed in the appropriate man page and vice-versa.
+
+$ME invokes '\$SKOPEO' (default: $Default_Skopeo).
+
+Exit status is zero if no inconsistencies found, one otherwise
+
+OPTIONS:
+
+  -v, --verbose  show verbose progress indicators
+  -n, --dry-run  make no actual changes
+
+  --help         display this message
+  --version      display program name and version
+END_USAGE
+
+    exit;
+}
+
+# Command-line options.  Note that this operates directly on @ARGV !
+our $debug   = 0;
+our $verbose = 0;
+sub handle_opts {
+    use Getopt::Long;
+    GetOptions(
+        'debug!'     => \$debug,
+        'verbose|v'  => \$verbose,
+
+        help         => \&usage,
+        version      => sub { print "$ME version $VERSION\n"; exit 0 },
+    ) or die "Try `$ME --help' for help\n";
+}
+
+# END   boilerplate args checking, usage messages
+###############################################################################
+
+############################## CODE BEGINS HERE ###############################
+
+# The term is "modulino".
+__PACKAGE__->main()                                     unless caller();
+
+# Main code.
+sub main {
+    # Note that we operate directly on @ARGV, not on function parameters.
+    # This is deliberate: it's because Getopt::Long only operates on @ARGV
+    # and there's no clean way to make it use @_.
+    handle_opts();                      # will set package globals
+
+    # Fetch command-line arguments.  Barf if too many.
+    die "$ME: Too many arguments; try $ME --help\n"                 if @ARGV;
+
+    my $help = skopeo_help();
+    my $man  = skopeo_man('skopeo');
+
+    xref_by_help($help, $man);
+    xref_by_man($help, $man);
+
+    exit !!$Errs;
+}
+
+###############################################################################
+# BEGIN cross-referencing
+
+##################
+#  xref_by_help  #  Find keys in '--help' but not in man
+##################
+sub xref_by_help {
+    my ($help, $man, @subcommand) = @_;
+
+    for my $k (sort keys %$help) {
+        if (exists $man->{$k}) {
+            if (ref $help->{$k}) {
+                xref_by_help($help->{$k}, $man->{$k}, @subcommand, $k);
+            }
+            # Otherwise, non-ref is leaf node such as a --option
+        }
+        else {
+            my $man = $man->{_path} || 'man';
+            warn "$ME: skopeo @subcommand --help lists $k, but $k not in $man\n";
+            ++$Errs;
+        }
+    }
+}
+
+#################
+#  xref_by_man  #  Find keys in man pages but not in --help
+#################
+#
+# In an ideal world we could share the functionality in one function; but
+# there are just too many special cases in man pages.
+#
+sub xref_by_man {
+    my ($help, $man, @subcommand) = @_;
+
+    # FIXME: this generates way too much output
+    for my $k (grep { $_ ne '_path' } sort keys %$man) {
+        if (exists $help->{$k}) {
+            if (ref $man->{$k}) {
+                xref_by_man($help->{$k}, $man->{$k}, @subcommand, $k);
+            }
+        }
+        elsif ($k ne '--help' && $k ne '-h') {
+            my $man = $man->{_path} || 'man';
+
+            warn "$ME: skopeo @subcommand: $k in $man, but not --help\n";
+            ++$Errs;
+        }
+    }
+}
+
+# END   cross-referencing
+###############################################################################
+# BEGIN data gathering
+
+#################
+#  skopeo_help  #  Parse output of 'skopeo [subcommand] --help'
+#################
+sub skopeo_help {
+    my %help;
+    open my $fh, '-|', $SKOPEO, @_, '--help'
+        or die "$ME: Cannot fork: $!\n";
+    my $section = '';
+    while (my $line = <$fh>) {
+        # Cobra is blessedly consistent in its output:
+        #    Usage: ...
+        #    Available Commands:
+        #       ....
+        #    Options:
+        #       ....
+        #
+        # Start by identifying the section we're in...
+        if ($line =~ /^Available\s+(Commands):/) {
+            $section = lc $1;
+        }
+        elsif ($line =~ /^(Flags):/) {
+            $section = lc $1;
+        }
+
+        # ...then track commands and options. For subcommands, recurse.
+        elsif ($section eq 'commands') {
+            if ($line =~ /^\s{1,4}(\S+)\s/) {
+                my $subcommand = $1;
+                print "> skopeo @_ $subcommand\n"               if $debug;
+                $help{$subcommand} = skopeo_help(@_, $subcommand)
+                    unless $subcommand eq 'help';       # 'help' not in man
+            }
+        }
+        elsif ($section eq 'flags') {
+            # Handle '--foo' or '-f, --foo'
+            if ($line =~ /^\s{1,10}(--\S+)\s/) {
+                print "> skopeo @_ $1\n"                        if $debug;
+                $help{$1} = 1;
+            }
+            elsif ($line =~ /^\s{1,10}(-\S),\s+(--\S+)\s/) {
+                print "> skopeo @_ $1, $2\n"                    if $debug;
+                $help{$1} = $help{$2} = 1;
+            }
+        }
+    }
+    close $fh
+        or die "$ME: Error running 'skopeo @_ --help'\n";
+
+    return \%help;
+}
+
+
+################
+#  skopeo_man  #  Parse contents of skopeo-*.1.md
+################
+sub skopeo_man {
+    my $command = shift;
+    my $manpath = "$Docs_Path/$command.1.md";
+    print "** $manpath \n"                              if $debug;
+
+    my %man = (_path => $manpath);
+    open my $fh, '<', $manpath
+        or die "$ME: Cannot read $manpath: $!\n";
+    my $section = '';
+    my @most_recent_flags;
+    my $previous_subcmd = '';
+    while (my $line = <$fh>) {
+        chomp $line;
+        next unless $line;		# skip empty lines
+
+        # .md files designate sections with leading double hash
+        if ($line =~ /^##\s*OPTIONS/) {
+            $section = 'flags';
+        }
+        elsif ($line =~ /^\#\#\s+(SUB)?COMMANDS/) {
+            $section = 'commands';
+        }
+        elsif ($line =~ /^\#\#[^#]/) {
+            $section = '';
+        }
+
+        # This will be a table containing subcommand names, links to man pages.
+        elsif ($section eq 'commands') {
+            # In skopeo.1.md
+            if ($line =~ /^\|\s*\[skopeo-(\S+?)\(\d\)\]/) {
+                # $1 will be changed by recursion _*BEFORE*_ left-hand assignment
+                my $subcmd = $1;
+                $man{$subcmd} = skopeo_man("skopeo-$1");
+            }
+        }
+
+        # Options should always be of the form '**-f**' or '**\-\-flag**',
+        # possibly separated by comma-space.
+        elsif ($section eq 'flags') {
+            # If option has long and short form, long must come first.
+            # This is a while-loop because there may be multiple long
+            # option names (not in skopeo ATM, but leave the possibility open)
+            while ($line =~ s/^\*\*(--[a-z0-9.-]+)\*\*(=\*[a-zA-Z0-9-]+\*)?(,\s+)?//g) {
+                $man{$1} = 1;
+            }
+            # Short form
+            if ($line =~ s/^\*\*(-[a-zA-Z0-9.])\*\*(=\*[a-zA-Z0-9-]+\*)?//g) {
+                $man{$1} = 1;
+            }
+        }
+    }
+    close $fh;
+
+    return \%man;
+}
+
+
+
+# END   data gathering
+###############################################################################
+
+1;
--- a/install.md
+++ b/install.md
@@ -1,7 +1,8 @@
-# Installing from packages
+# Installing Skopeo

 ## Distribution Packages
-`skopeo` may already be packaged in your distribution.
+`skopeo` may already be packaged in your distribution. This document lists the
+installation steps for many distros, along with their information and support links.

 ### Fedora

@@ -9,34 +10,26 @@
 sudo dnf -y install skopeo
 ```

-### RHEL/CentOS ≥ 8 and CentOS Stream
+[Package Info](https://src.fedoraproject.org/rpms/skopeo) and
+[Bugzilla](https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&classification=Fedora&component=skopeo&product=Fedora)
+
+Fedora bugs can be reported on the Skopeo GitHub [Issues](https://github.com/containers/skopeo/issues) page.
+
+### RHEL / CentOS Stream ≥ 8

 ```sh
 sudo dnf -y install skopeo
 ```

-Newer Skopeo releases may be available on the repositories provided by the
-Kubic project. Beware, these may not be suitable for production environments.
+If you are a RHEL customer, please reach out through the official RHEL support
+channels for any issues.

-on CentOS 8:
+CentOS Stream 9: [Package Info](https://gitlab.com/redhat/centos-stream/rpms/skopeo/-/tree/c9s) and
+[Bugzilla](https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&classification=Red%20Hat&component=skopeo&product=Red%20Hat%20Enterprise%20Linux%209&version=CentOS%20Stream)

-```sh
-sudo dnf -y module disable container-tools
-sudo dnf -y install 'dnf-command(copr)'
-sudo dnf -y copr enable rhcontainerbot/container-selinux
-sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_8/devel:kubic:libcontainers:stable.repo
-sudo dnf -y install skopeo
-```
+CentOS Stream 8: [Package Info](https://git.centos.org/rpms/skopeo/tree/c8s-stream-rhel8) and
+[Bugzilla](https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&classification=Red%20Hat&component=skopeo&product=Red%20Hat%20Enterprise%20Linux%208&version=CentOS%20Stream)

-on CentOS 8 Stream:
-
-```sh
-sudo dnf -y module disable container-tools
-sudo dnf -y install 'dnf-command(copr)'
-sudo dnf -y copr enable rhcontainerbot/container-selinux
-sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_8_Stream/devel:kubic:libcontainers:stable.repo
-sudo dnf -y install skopeo
-```

 ### RHEL/CentOS ≤ 7.x

@@ -44,13 +37,7 @@ sudo dnf -y install skopeo
 sudo yum -y install skopeo
 ```

-Newer Skopeo releases may be available on the repositories provided by the
-Kubic project. Beware, these may not be suitable for production environments.
-
-```sh
-sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_7/devel:kubic:libcontainers:stable.repo
-sudo yum -y install skopeo
-```
+CentOS 7: [Package Repo](https://git.centos.org/rpms/skopeo/tree/c7-extras)

 ### openSUSE

@@ -58,12 +45,32 @@ sudo yum -y install skopeo
 sudo zypper install skopeo
 ```

+[Package Info](https://software.opensuse.org/package/skopeo)
+
 ### Alpine

 ```sh
 sudo apk add skopeo
 ```

+[Package Info](https://pkgs.alpinelinux.org/packages?name=skopeo)
+
+### Gentoo
+
+```sh
+sudo emerge app-containers/skopeo
+```
+
+[Package Info](https://packages.gentoo.org/packages/app-containers/skopeo)
+
+### Arch Linux
+
+```sh
+sudo pacman -S skopeo
+```
+
+[Package Info](https://archlinux.org/packages/extra/x86_64/skopeo/)
+
 ### macOS

 ```sh
@@ -75,60 +82,20 @@ brew install skopeo
 $ nix-env -i skopeo
 ```

+[Package Info](https://search.nixos.org/packages?&show=skopeo&query=skopeo)
+
 ### Debian

-The skopeo package is available in
-the [Bullseye (testing) branch](https://packages.debian.org/bullseye/skopeo), which
-will be the next stable release (Debian 11) as well as Debian Unstable/Sid.
+The skopeo package is available on [Bullseye](https://packages.debian.org/bullseye/skopeo),
+and Debian Testing and Unstable.

 ```bash
-# Debian Testing/Bullseye or Unstable/Sid
+# Debian Bullseye, Testing or Unstable/Sid
 sudo apt-get update
 sudo apt-get -y install skopeo
 ```

-If you would prefer newer (though not as well-tested) packages,
-the [Kubic project](https://build.opensuse.org/package/show/devel:kubic:libcontainers:stable/skopeo)
-provides packages for Debian 10 and newer. The packages in Kubic project repos are more frequently
-updated than the one in Debian's official repositories, due to how Debian works.
-The build sources for the Kubic packages can be found [here](https://gitlab.com/rhcontainerbot/skopeo/-/tree/debian/debian).
-
-CAUTION: On Debian 11 and newer, including Debian Testing and Sid, we highly recommend you use Buildah, Podman and Skopeo ONLY from EITHER the Kubic repo
-OR the official Debian repos. Mixing and matching may lead to unpredictable situations including installation conflicts.
-
-```bash
-# Debian 10
-echo 'deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
-curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/Release.key | sudo apt-key add -
-sudo apt-get update
-sudo apt-get -y install skopeo
-
-# Debian Testing
-echo 'deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_Testing/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
-curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_Testing/Release.key | sudo apt-key add -
-sudo apt-get update
-sudo apt-get -y install skopeo
-
-# Debian Sid/Unstable
-echo 'deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_Unstable/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
-curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_Unstable/Release.key | sudo apt-key add -
-sudo apt-get update
-sudo apt-get -y install skopeo
-```
-
-
-### Raspberry Pi OS armhf (ex Raspbian)
-
-The Kubic project provides packages for Raspbian 10.
-
-```bash
-# Raspbian 10
-echo 'deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Raspbian_10/ /' | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
-curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Raspbian_10/Release.key | sudo apt-key add -
-sudo apt-get update -qq
-sudo apt-get -qq -y install skopeo
-```
-
+[Package Info](https://packages.debian.org/stable/skopeo)

 ### Raspberry Pi OS arm64 (beta)

@@ -148,37 +115,35 @@ sudo apt-get -y update
 sudo apt-get -y install skopeo
 ```

-If you would prefer newer (though not as well-tested) packages,
-the [Kubic project](https://build.opensuse.org/package/show/devel:kubic:libcontainers:stable/skopeo)
-provides packages for active Ubuntu releases 18.04 and newer (it should also work with direct derivatives like Pop!\_OS).
-Checkout the [Kubic project page](https://build.opensuse.org/package/show/devel:kubic:libcontainers:stable/skopeo)
-for a list of supported Ubuntu version and
-architecture combinations. **NOTE:** The command `sudo apt-get -y upgrade`
-maybe required in some cases if Skopeo cannot be installed without it.
-The build sources for the Kubic packages can be found [here](https://gitlab.com/rhcontainerbot/skopeo/-/tree/debian/debian).
+[Package Info](https://packages.ubuntu.com/jammy/skopeo)

-CAUTION: On Ubuntu 20.10 and newer, we highly recommend you use Buildah, Podman and Skopeo ONLY from EITHER the Kubic repo
-OR the official Ubuntu repos. Mixing and matching may lead to unpredictable situations including installation conflicts.
+### Windows
+Skopeo has not yet been packaged for Windows. There is an [open feature
+request](https://github.com/containers/skopeo/issues/715) and contributions are
+always welcome.
+
+## Container Images
+
+Skopeo container images are available at `quay.io/skopeo/stable:latest`.
+For example,

 ```bash
-. /etc/os-release
-echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
-curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/Release.key | sudo apt-key add -
-sudo apt-get update
-sudo apt-get -y upgrade
-sudo apt-get -y install skopeo
+podman run docker://quay.io/skopeo/stable:latest copy --help
 ```

+The skopeo container image build context and automation are
+located at [https://github.com/containers/image_build/tree/main/skopeo](https://github.com/containers/image_build/tree/main/skopeo)
+
+
+## Building from Source

 Otherwise, read on for building and installing it from source:

-To build the `skopeo` binary you need at least Go 1.12.
+To build the `skopeo` binary you need at least Go 1.22.

 There are two ways to build skopeo: in a container, or locally without a
 container. Choose the one which better matches your needs and environment.

-## Building from Source
-
 ### Building without a container

 Building without a container requires a bit more manual work and setup in your
@@ -192,12 +157,12 @@ Install the necessary dependencies:

 ```bash
 # Fedora:
-sudo dnf install gpgme-devel libassuan-devel btrfs-progs-devel device-mapper-devel
+sudo dnf install gpgme-devel libassuan-devel btrfs-progs-devel
 ```

 ```bash
 # Ubuntu (`libbtrfs-dev` requires Ubuntu 18.10 and above):
-sudo apt install libgpgme-dev libassuan-dev libbtrfs-dev libdevmapper-dev
+sudo apt install libgpgme-dev libassuan-dev libbtrfs-dev pkg-config
 ```

 ```bash
@@ -207,7 +172,12 @@ brew install gpgme

 ```bash
 # openSUSE:
-sudo zypper install libgpgme-devel device-mapper-devel libbtrfs-devel glib2-devel
+sudo zypper install libgpgme-devel libbtrfs-devel glib2-devel
+```
+
+```bash
+# Arch Linux:
+sudo pacman -S base-devel gpgme btrfs-progs
 ```

 Make sure to clone this repository in your `GOPATH` - otherwise compilation fails.
@@ -219,6 +189,28 @@ cd $GOPATH/src/github.com/containers/skopeo && make bin/skopeo

 By default the `make` command (make all) will build bin/skopeo and the documentation locally.

+Building of documentation requires `go-md2man`. On systems that do not have this tool, the
+document generation can be skipped by passing `DISABLE_DOCS=1`:
+```
+DISABLE_DOCS=1 make
+```
+
+#### Additional prerequisites
+
+In order to dynamically link against system libraries and avoid compilation errors the ```CGO_ENABLED='1'``` flag must be enabled. You can easily check by ```go env | grep CGO_ENABLED```.
+
+An alternative would be to set the `BUILDTAGS=containers_image_openpgp` (this removes the dependency on `libgpgme` and its companion libraries).
+
+### Cross-compilation
+
+For cross-building skopeo, use the command `make bin/skopeo.OS.ARCH`, where OS represents
+the target operating system and ARCH stands for the desired architecture. For instance,
+to build skopeo for RISC-V 64-bit Linux, execute:
+
+```bash
+make bin/skopeo.linux.riscv64
+```
+
 ### Building documentation

 To build the manual you will need go-md2man.
@@ -233,6 +225,11 @@ sudo apt-get install go-md2man
 sudo dnf install go-md2man
 ```

+```
+# MacOS:
+brew install go-md2man
+```
+
 Then

 ```bash
@@ -252,6 +249,13 @@ Building in a container is simpler, but more restrictive:
 $ make binary
 ```

+### Shell completion scripts
+
+Skopeo has shell completion scripts for bash, zsh, fish and powershell. They are installed as part of `make install`.
+You may have to restart your shell in order for them to take effect.
+
+For instructions to manually generate and load the scripts please see `skopeo completion --help`.
+
 ### Installation

 Finally, after the binary and documentation is built:
@@ -259,3 +263,34 @@ Finally, after the binary and documentation is built:
 ```bash
 sudo make install
 ```
+
+### Building a static binary
+
+There have been efforts in the past to produce and maintain static builds, but the maintainers prefer to run Skopeo using distro packages or within containers. This is because static builds of Skopeo tend to be unreliable and functionally restricted. Specifically:
+- Some features of Skopeo depend on non-Go libraries like `libgpgme`.
+- Generating static Go binaries uses native Go libraries, which don't support e.g. `.local` or LDAP-based name resolution.
+
+That being said, if you would like to build Skopeo statically, you might be able to do it by combining all the following steps.
+- Export environment variable `CGO_ENABLED=0` (disabling CGO causes Go to prefer native libraries when possible, instead of dynamically linking against system libraries).
+- Set the `BUILDTAGS=containers_image_openpgp` Make variable (this removes the dependency on `libgpgme` and its companion libraries).
+- Clear the `GO_DYN_FLAGS` Make variable if even a dependency on the ELF interpreter is undesirable.
+
+Keep in mind that the resulting binary is unsupported and might crash randomly. Only use if you know what you're doing!
+
+For more information, history, and context about static builds, check the following issues:
+
+- [#391] - Consider distributing statically built binaries as part of release
+- [#669] - Static build fails with segmentation violation
+- [#670] - Fixing static binary build using container
+- [#755] - Remove static and in-container targets from Makefile
+- [#932] - Add nix derivation for static builds
+- [#1336] - Unable to run skopeo on Fedora 30 (due to dyn lib dependency)
+- [#1478] - Publish binary releases to GitHub (request+discussion)
+
+[#391]: https://github.com/containers/skopeo/issues/391
+[#669]: https://github.com/containers/skopeo/issues/669
+[#670]: https://github.com/containers/skopeo/issues/670
+[#755]: https://github.com/containers/skopeo/issues/755
+[#932]: https://github.com/containers/skopeo/issues/932
+[#1336]: https://github.com/containers/skopeo/issues/1336
+[#1478]: https://github.com/containers/skopeo/issues/1478
--- a/integration/blocked_test.go
+++ b/integration/blocked_test.go
@@ -1,34 +1,34 @@
 package main

-import (
-	"github.com/go-check/check"
-)
-
 const blockedRegistriesConf = "./fixtures/blocked-registries.conf"
 const blockedErrorRegex = `.*registry registry-blocked.com is blocked in .*`

-func (s *SkopeoSuite) TestCopyBlockedSource(c *check.C) {
-	assertSkopeoFails(c, blockedErrorRegex,
+func (s *skopeoSuite) TestCopyBlockedSource() {
+	t := s.T()
+	assertSkopeoFails(t, blockedErrorRegex,
 		"--registries-conf", blockedRegistriesConf, "copy",
 		"docker://registry-blocked.com/image:test",
 		"docker://registry-unblocked.com/image:test")
 }

-func (s *SkopeoSuite) TestCopyBlockedDestination(c *check.C) {
-	assertSkopeoFails(c, blockedErrorRegex,
+func (s *skopeoSuite) TestCopyBlockedDestination() {
+	t := s.T()
+	assertSkopeoFails(t, blockedErrorRegex,
 		"--registries-conf", blockedRegistriesConf, "copy",
 		"docker://registry-unblocked.com/image:test",
 		"docker://registry-blocked.com/image:test")
 }

-func (s *SkopeoSuite) TestInspectBlocked(c *check.C) {
-	assertSkopeoFails(c, blockedErrorRegex,
+func (s *skopeoSuite) TestInspectBlocked() {
+	t := s.T()
+	assertSkopeoFails(t, blockedErrorRegex,
 		"--registries-conf", blockedRegistriesConf, "inspect",
 		"docker://registry-blocked.com/image:test")
 }

-func (s *SkopeoSuite) TestDeleteBlocked(c *check.C) {
-	assertSkopeoFails(c, blockedErrorRegex,
+func (s *skopeoSuite) TestDeleteBlocked() {
+	t := s.T()
+	assertSkopeoFails(t, blockedErrorRegex,
 		"--registries-conf", blockedRegistriesConf, "delete",
 		"docker://registry-blocked.com/image:test")
 }
--- a/Show More
+++ b/Show More