Work with remote images registries - retrieving information, images, signing content

Containers

Last update: Jan 5, 2023

Related tags

Miscellaneous skopeo

Overview

skopeo

skopeo is a command line utility that performs various operations on container images and image repositories.

skopeo does not require the user to be running as root to do most of its operations.

skopeo does not require a daemon to be running to perform its operations.

skopeo can work with OCI images as well as the original Docker v2 images.

Skopeo works with API V2 container image registries such as docker.io and quay.io registries, private registries, local directories and local OCI-layout directories. Skopeo can perform operations which consist of:

Copying an image from and to various storage mechanisms. For example you can copy images from one registry to another, without requiring privilege.
Inspecting a remote image showing its properties including its layers, without requiring you to pull the image to the host.
Deleting an image from an image repository.
Syncing an external image repository to an internal registry for air-gapped deployments.
When required by the repository, skopeo can pass the appropriate credentials and certificates for authentication.

Skopeo operates on the following image and repository types:

containers-storage:docker-reference An image located in a local containers/storage image store. Both the location and image store are specified in /etc/containers/storage.conf. (This is the backend for Podman, CRI-O, Buildah and friends)
dir:path An existing local directory path storing the manifest, layer tarballs and signatures as individual files. This is a non-standardized format, primarily useful for debugging or noninvasive container inspection.
docker://docker-reference An image in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in $XDG_RUNTIME_DIR/containers/auth.json, which is set using skopeo login.
docker-archive:path[:docker-reference] An image is stored in a docker save-formatted file. docker-reference is only used when creating such a file, and it must not contain a digest.
docker-daemon:docker-reference An image docker-reference stored in the docker daemon internal storage. docker-reference must contain either a tag or a digest. Alternatively, when reading images, the format can also be docker-daemon:algo:digest (an image ID).
oci:path:tag An image tag in a directory compliant with "Open Container Image Layout Specification" at path.

Inspecting a repository

skopeo is able to inspect a repository on a container registry and fetch images layers. The inspect command fetches the repository's manifest and it is able to show you a docker inspect-like json output about a whole repository or a tag. This tool, in contrast to docker inspect, helps you gather useful information about a repository or a tag before pulling it (using disk space). The inspect command can show you which tags are available for the given repository, the labels the image has, the creation date and operating system of the image and more.

Examples:

Show properties of fedora:latest

$ skopeo inspect docker://registry.fedoraproject.org/fedora:latest
{
    "Name": "registry.fedoraproject.org/fedora",
    "Digest": "sha256:655721ff613ee766a4126cb5e0d5ae81598e1b0c3bcf7017c36c4d72cb092fe9",
    "RepoTags": [
        "24",
        "25",
        "26-modular",
	...
    ],
    "Created": "2020-04-29T06:48:16Z",
    "DockerVersion": "1.10.1",
    "Labels": {
        "license": "MIT",
        "name": "fedora",
        "vendor": "Fedora Project",
        "version": "32"
    },
    "Architecture": "amd64",
    "Os": "linux",
    "Layers": [
        "sha256:3088721d7dbf674fc0be64cd3cf00c25aab921cacf35fa0e7b1578500a3e1653"
    ],
    "Env": [
        "DISTTAG=f32container",
        "FGC=f32",
        "container=oci"
    ]
}

Show container configuration from `fedora:latest`

$ skopeo inspect --config docker://registry.fedoraproject.org/fedora:latest  | jq
{
  "created": "2020-04-29T06:48:16Z",
  "architecture": "amd64",
  "os": "linux",
  "config": {
    "Env": [
      "DISTTAG=f32container",
      "FGC=f32",
      "container=oci"
    ],
    "Cmd": [
      "/bin/bash"
    ],
    "Labels": {
      "license": "MIT",
      "name": "fedora",
      "vendor": "Fedora Project",
      "version": "32"
    }
  },
  "rootfs": {
    "type": "layers",
    "diff_ids": [
      "sha256:a4c0fa2b217d3fd63d51e55a6fd59432e543d499c0df2b1acd48fbe424f2ddd1"
    ]
  },
  "history": [
    {
      "created": "2020-04-29T06:48:16Z",
      "comment": "Created by Image Factory"
    }
  ]
}

Show unverified image's digest

$ skopeo inspect docker://registry.fedoraproject.org/fedora:latest | jq '.Digest'
"sha256:655721ff613ee766a4126cb5e0d5ae81598e1b0c3bcf7017c36c4d72cb092fe9"

Copying images

skopeo can copy container images between various storage mechanisms, including:

Container registries
- The Quay, Docker Hub, OpenShift, GCR, Artifactory ...
Container Storage backends
- github.com/containers/storage (Backend for Podman, CRI-O, Buildah and friends)
- Docker daemon storage
Local directories
Local OCI-layout directories

$ skopeo copy docker://quay.io/buildah/stable docker://registry.internal.company.com/buildah
$ skopeo copy oci:busybox_ocilayout:latest dir:existingemptydirectory

Deleting images

$ skopeo delete docker://localhost:5000/imagename:latest

Syncing registries

$ skopeo sync --src docker --dest dir registry.example.com/busybox /media/usb

Authenticating to a registry

Private registries with authentication

skopeo uses credentials from the --creds (for skopeo inspect|delete) or --src-creds|--dest-creds (for skopeo copy) flags, if set; otherwise it uses configuration set by skopeo login, podman login, buildah login, or docker login.

$ skopeo login --username USER docker://myregistrydomain.com:5000
Password:
$ skopeo inspect docker://myregistrydomain.com:5000/busybox
{"Tag":"latest","Digest":"sha256:473bb2189d7b913ed7187a33d11e743fdc2f88931122a44d91a301b64419f092","RepoTags":["latest"],"Comment":"","Created":"2016-01-15T18:06:41.282540103Z","ContainerConfig":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["/bin/sh","-c","#(nop) CMD [\"sh\"]"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"DockerVersion":"1.8.3","Author":"","Config":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["sh"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"Architecture":"amd64","Os":"linux"}
$ skopeo logout docker://myregistrydomain.com:5000

Using --creds directly

$ skopeo inspect --creds=testuser:testpassword docker://myregistrydomain.com:5000/busybox
{"Tag":"latest","Digest":"sha256:473bb2189d7b913ed7187a33d11e743fdc2f88931122a44d91a301b64419f092","RepoTags":["latest"],"Comment":"","Created":"2016-01-15T18:06:41.282540103Z","ContainerConfig":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["/bin/sh","-c","#(nop) CMD [\"sh\"]"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"DockerVersion":"1.8.3","Author":"","Config":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["sh"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"Architecture":"amd64","Os":"linux"}

$ skopeo copy --src-creds=testuser:testpassword docker://myregistrydomain.com:5000/private oci:local_oci_image

Obtaining skopeo

For a detailed description how to install or build skopeo, see install.md.

Contributing

Please read the contribution guide if you want to collaborate in the project.

Commands

Command	Description
skopeo-copy(1)	Copy an image (manifest, filesystem layers, signatures) from one location to another.
skopeo-delete(1)	Mark the image-name for later deletion by the registry's garbage collector.
skopeo-inspect(1)	Return low-level information about image-name in a registry.
skopeo-list-tags(1)	Return a list of tags for the transport-specific image repository.
skopeo-login(1)	Login to a container registry.
skopeo-logout(1)	Logout of a container registry.
skopeo-manifest-digest(1)	Compute a manifest digest for a manifest-file and write it to standard output.
skopeo-standalone-sign(1)	Debugging tool - Publish and sign an image in one step.
skopeo-standalone-verify(1)	Verify an image signature.
skopeo-sync(1)	Synchronize images between container registries and local directories.

License

skopeo is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.

Comments

Introduce the sync command
The skopeo sync command can sync images between a SOURCE and a destination.

The purpose of this command is to assist with the mirroring of container images from different docker registries to a single docker registry.

Right now the following transport matrix is implemented:

docker:// -> docker://

docker:// -> dir:

dir: -> docker://

The dir: transport is supported to handle the use case of air-gapped environments. In this context users can perform an initial sync on a trusted machine connected to the internet; that would be a docker:// -> dir: sync. The target directory can be copied to a removable drive that can then be plugged into a node of the air-gapped environment. From there a dir: -> docker:// sync will import all the images into the registry serving the air-gapped environment.

The image namespace is changed during the docker:// to docker:// or dir: copy. The FQDN of the registry hosting the image will be added as new root namespace of the image. For example, the image registry.example.com/busybox:latest will be copied to registry.local.lan/registry.example.com/busybox:latest.

The image namespace is not changed when doing a dir: -> docker:// sync operation.

The alteration of the image namespace is used to nicely scope images coming from different registries (the Docker Hub, quay.io, gcr, other registries). That allows all of them to be hosted on the same registry without incurring in clashes and making their origin explicit.

TODO

I hope you like this feature and the direction it's going. Once we agree on its final design we will update this PR to extend the current test suites.

Future work

Currently sync will keep adding missing content from SOURCE to DESTINATION. It would be nice to add a --delete flag to remove from DESTINATION contents that are no longer available inside of SOURCE. That would be a bit like rsync's--delete` flag.

If wanted, that should be addressed with a separate PR.

Signed-off-by: Flavio Castelli [email protected] Co-authored-by: Marco Vedovati [email protected]
opened by flavio 77
use user/pass flags

We already use global flags for docker specific stuff. This patch enables --username and --password to be passed down to containers/image to setup docker's registries auth.

Fixes #253

@mtrmac @cyphar PTAL

Signed-off-by: Antonio Murdaca [email protected]

opened by runcom 41
Cirrus: Run checks directly on the host

In order to meet achievable deadlines converting from Travis to Cirrus CI, one significant artifact was carried forward (instead of fixing):

Depending on a --privileged container to execute all/most automated checks/tests.

Prior attempts to remove this aspect resulted in several test failures. Fixing the problems was viewed as more time-consuming than simply preserving this runtime environment.

Time has passed, and the code has since moved on. This commit removes the legacy need to execute CI operations in a --privileged container, instead running them directly on the host. At the same time, the necessary test binaries are obtained from the same container used for development/local testing purposes. This ensures the two experiences are virtually always identical.

opened by cevich 37
Using 'skopeo copy' to a registry that requires aws credentials return 403

I am trying to use 'skopeo copy' to copy an image from my local registry to a different registry that I can login to using 'aws ecr get-login' command.

After running the login command I get the credentials saved under $HOME/.docker/config.json.

Running this: docker run -v ~/.docker:/root/.docker:Z --rm --net=host luebken/skopeo skopeo copy docker://rackattack-nas.dc1:5000/kubernetes-manager:bd6c5759f401652fc938a239b73631756b60879f_kubernetes-manager docker://registry.maestro.stratoscale.com/kubernetes-manager:bd6c5759f401652fc938a239b73631756b60879f_kubernetes-manager

gets me this response: time="2017-08-27T14:23:27Z" level=fatal msg="Error writing blob: Error initiating layer upload to kubernetes-manager/blobs/uploads/, status 403"

I entered the container and saw that the the config.json is where it suppose to be and was mounted correctly.

Is there any way I can use 'skopeo copy' using aws ecr credentials?

Thanks!

opened by mickey-stratoscale 35
skopeo inspect command - introduce a way to skip querying all available tags
The commit in this PR introduces a new option to the inspect command which allows users to specify whether they want to disable querying and displaying all available tags for the image being inspected. This has been requested in https://github.com/containers/skopeo/issues/785

The new option is --query-tags which defaults to true (to preserve backward compatibility) and is an optional optional. When set to --query-tags=false the implementation skips querying the tags for the repository and the displayed output will contain an empty RepoTags[] property:

{ "Name": "docker.io/library/python", "Digest": "sha256:5ca194a80ddff913ea49c8154f38da66a41d2b73028c5cf7e46bc3c1d6fda572", "RepoTags": [], ...

I couldn't find existing tests for this command so I haven't updated/added any. However, I've run a bunch of manual tests (with --query-tags=false, with --query-tags, with --query-tags=true, without --query-tags) and they all have gone fine.

Additionally, from a performance point of view, when not using or when not setting this to false and doing an inspect on a image which is expected to have a large number of tags (for example docker.io/library/python) results in a very noticable and big improvement. For example, the following command without this new option returns in around 15-16 seconds consistently (and displays all available tags):

time bin/skopeo inspect --override-arch=amd64 --override-os=linux docker://docker.io/library/python .... real 0m15.884s user 0m0.173s sys 0m0.131s

Whereas when run with --query-tags=false for the same image, it returns consistently in around 8-9 seconds (of course with RepoTags: []):

time bin/skopeo inspect --query-tags=false --override-arch=amd64 --override-os=linux docker://docker.io/library/python ... real 0m8.444s user 0m0.153s sys 0m0.120s
opened by jaikiran 34
skopeo inspect: a way how to avoid fetching all tags from repository

Hello,

in our use cases we need to get only information about image, like labels, but we don't need all repoTags. We have repositories with many tags (1700+) and it is resource consuming to get all tags from registry and just drop that.

Could you please provide a way how to avoid fetching repotags?

Thank you
stale-issue

opened by MartinBasti 33

Image format docker-archive is not equivalent to docker save

The format of an image copied from the Docker Hub to docker-archive://my-image is not what is produced by docker save. docker save produces a image that follows this spec. Basically, the image layout is such as:

├── 47bcc53f74dc94b1920f0b34f6036096526296767650f223433fe65c35f149eb.json
├── 5f29f704785248ddb9d06b90a11b5ea36c534865e9035e4022bb2e71d4ecbb9a
│   ├── VERSION
│   ├── json
│   └── layer.tar
├── a65da33792c5187473faa80fa3e1b975acba06712852d1dea860692ccddf3198
│   ├── VERSION
│   ├── json
│   └── layer.tar
├── manifest.json
└── repositories

While the format of the image produced by Skopeo only contains tar.gz file and a manifest.json such as:

sha256:5a132a7e7af11f304041e93efb9cb2a0a7839bccaec5a03cfbdc9a3f5d0eb481
sha256:fd2731e4c50ce221d785d4ce26a8430bca9a95bfe4162fafc997a1cc65682cce
sha256:28a2f68d1120598986362662445c47dce7ec13c2662479e7aab9f0ecad4a7416
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
sha256:07c86167cdc4264926fa5d2894e34a339ad27f730e8cc81a16cd21b7479e8eac
manifest.json

What is this format? Is there a spec somewhere? Or would it be possible to be compliant with docker save ?

opened by nlewo 32

Consider distributing statically built binaries as part of release

Currently if you're not using Fedora, you're kinda outta luck and you have to build from source. When I see a project written in Go, it's sad to see it just cannot be built directly with go tool, or doesn't offer binary builds.

Travis CI can attach binaries to your releases. For example: https://github.com/ahmetb/govvv/releases

You can use https://github.com/mitchellh/gox to provide cross platform builds in your travis build or so.

Please consider distributing binary builds.
good first issue kind/feature

opened by ahmetb 31
Cirrus: Use updated VM images

Mainly this is to confirm some changes needed for the podman-py CI setup don't disrupt operations here. Ref:

https://github.com/containers/automation_images/pull/111

Signed-off-by: Chris Evich [email protected]

opened by cevich 29
Support namespaced logins for quay.io

Service accounts (a.k.a. robots) in quay.io are forcably namespaced to the user or orginization under which they are created. Therefore, it is impossible to use a common login/password to push images for both skopeo and containers namespaces. Worse, because the authentication is recorded against quay.io, multiple login sessions are required.

Fix this by adding a function definition which verifies non-empty username/password arguments, before logging in. Call this function as needed from relevant targets, prior to pushing images.

Signed-off-by: Chris Evich [email protected]

opened by cevich 28
Add skopeo rpm spec file to contrib

Adding skopeo spec file to repo to provide public access to files required to build rpm. Location in repo follows buildah's existing convention/location.

Spec file is from the srpm from the following repo with the commitid changed to REPLACEWITHCOMMITID to match buildah .spec convention: https://cbs.centos.org/repos/virt7-container-common-candidate/source/SRPMS/

Please advise if there is an updated version available or if there is an alternate location to access the spec.

Signed-off-by: pixdrift [email protected]

opened by pixdrift 28
[release-1.4] [CI:BUILD] Cirrus: Migrate OSX task to M1

Migrate our OSX build to a M1 instance, since Cirrus is sunsetting Intel-based macOS instances.

Signed-off-by: Ashley Cui [email protected] (cherry picked from commit b5ac534960bd4188f7fd847cec3225f55714abc4) Signed-off-by: Lokesh Mandvekar [email protected]
bug

opened by lsm5 11

Add `--mountns` or equivalent

For a use case I have, I'd like to execute a skopeo binary from inside a container image, but have it fetch data from containers-storage: which requires entering the host mount namespace.

Several low-level commands have gradually gained support for calling setns(); e.g. there's now mount -N: -N, --namespace <ns> perform mount in another namespace.

The key benefit of this is that it's performed after dynamic linking is done, so assuming no further external binaries are run it avoids a host dependency.

But a general well known problem with setns() and Go is that the runtime will happily spawn threads in the background to service goroutines which may not propagate the namespace.

I came across https://cs.github.com/containers/podman/blob/864288b8dabbe3eb89854b737cc7fbd93077aa1e/libpod/container_copy_linux.go?q=org%3Acontainers+setns+lang%3Ago#L17 which seems related.

Thinking about this, I wonder if we could add support to containers/storage for having it take an explicit mount namespace and perform operations there?

(I tried the below code, which worked for skopeo inspect --mount-namespace 1 containers-storage:docker.io/library/busybox but skopeo copy --mount-namespace 1 containers-storage:docker.io/library/busybox oci:/tmp/busybox fails trying to access some files, I think because the accesses are running on threads spawned before we were able to unshare...so to do this right we'd need to have the main entrypoint be either C or Rust)

diff --git a/cmd/skopeo/main.go b/cmd/skopeo/main.go
index 3f8a9621..af8132c8 100644
--- a/cmd/skopeo/main.go
+++ b/cmd/skopeo/main.go
@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"fmt"
+	"os"
 	"strings"
 	"time"
 
@@ -13,6 +14,7 @@ import (
 	"github.com/containers/storage/pkg/reexec"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"golang.org/x/sys/unix"
 )
 
 // gitCommit will be the hash that the binary was built from
@@ -27,6 +29,7 @@ type globalOptions struct {
 	policyPath         string                  // Path to a signature verification policy file
 	insecurePolicy     bool                    // Use an "allow everything" signature verification policy
 	registriesDirPath  string                  // Path to a "registries.d" registry configuration directory
+	mountns            string                  // PID or path to specified mount namespace
 	overrideArch       string                  // Architecture to use for choosing images, instead of the runtime one
 	overrideOS         string                  // OS to use for choosing images, instead of the runtime one
 	overrideVariant    string                  // Architecture variant to use for choosing images, instead of the runtime one
@@ -83,6 +86,7 @@ func createApp() (*cobra.Command, *globalOptions) {
 	rootCommand.PersistentFlags().BoolVar(&opts.debug, "debug", false, "enable debug output")
 	rootCommand.PersistentFlags().StringVar(&opts.policyPath, "policy", "", "Path to a trust policy file")
 	rootCommand.PersistentFlags().BoolVar(&opts.insecurePolicy, "insecure-policy", false, "run the tool without any policy check")
+	rootCommand.PersistentFlags().StringVar(&opts.mountns, "mount-namespace", "", "Enter target mount namespace, specified via PID or magic link /proc/<pid>/ns/mnt")
 	rootCommand.PersistentFlags().StringVar(&opts.registriesDirPath, "registries.d", "", "use registry configuration files in `DIR` (e.g. for container signature storage)")
 	rootCommand.PersistentFlags().StringVar(&opts.overrideArch, "override-arch", "", "use `ARCH` instead of the architecture of the machine for choosing images")
 	rootCommand.PersistentFlags().StringVar(&opts.overrideOS, "override-os", "", "use `OS` instead of the running OS for choosing images")
@@ -121,6 +125,25 @@ func (opts *globalOptions) before(cmd *cobra.Command) error {
 	if opts.tlsVerify.Present() {
 		logrus.Warn("'--tls-verify' is deprecated, please set this on the specific subcommand")
 	}
+	if opts.mountns != "" {
+		if !strings.HasPrefix(opts.mountns, "/") {
+			opts.mountns = fmt.Sprintf("/proc/%s/ns/mnt", opts.mountns)
+		}
+
+		// AIUI, we need to unshare() because the process is already threaded
+		if err := unix.Unshare(unix.CLONE_NEWNS); err != nil {
+			return fmt.Errorf("failed to unshare mount namespace: %w", err)
+		}
+		fd, err := os.Open(opts.mountns)
+		if err != nil {
+			return err
+		}
+		defer fd.Close()
+
+		if err := unix.Setns(int(fd.Fd()), unix.CLONE_NEWNS); err != nil {
+			return fmt.Errorf("failed to enter mount namespace: %w", err)
+		}
+	}
 	return nil
 }

enhancement

opened by cgwalters 2

fix(deps): update module gopkg.in/yaml.v2 to v3
This PR contains the following updates:

| Package | Type | Update | Change | |---|---|---|---| | gopkg.in/yaml.v2 | require | major | v2.4.0 -> v3.0.1 |

Release Notes

go-yaml/yaml

v3.0.1

Compare Source

v3.0.0

Compare Source

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.
dependencies
opened by renovate[bot] 0
skopeo copy multi-arch manifest from local containers-storage to private registry not working
$ podman images nodeimage

REPOSITORY TAG IMAGE ID CREATED SIZE localhost/nodeimage 9.arm64 95d9fe375ed3 17 hours ago 888 MB localhost/nodeimage 9.amd64 a523734ebdb1 17 hours ago 864 MB localhost/nodeimage 9 410c25c08493 17 hours ago 1.09 kB

$ podman inspect localhost/nodeimage:9.arm64|grep Digest

"Digest": "sha256:6db6e95b26c56459ffd63539e8f7b1418d15a8ba35e979bd61374779c20b80d3",

$ podman inspect localhost/nodeimage:9.amd64|grep Digest

"Digest": "sha256:e4cb67eb7189c6d7e02d7f394f3d28ea50af723ea853b984618b57d96aba4940",

$ podman manifest inspect localhost/nodeimage:9|grep sha256

"digest": "sha256:e4cb67eb7189c6d7e02d7f394f3d28ea50af723ea853b984618b57d96aba4940", "digest": "sha256:6db6e95b26c56459ffd63539e8f7b1418d15a8ba35e979bd61374779c20b80d3",

$ podman manifest inspect localhost/nodeimage:9

{ "schemaVersion": 2, "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json", "manifests": [ { "mediaType": "application/vnd.oci.image.manifest.v1+json", "size": 1682, "digest": "sha256:e4cb67eb7189c6d7e02d7f394f3d28ea50af723ea853b984618b57d96aba4940", "platform": { "architecture": "amd64", "os": "linux" } }, { "mediaType": "application/vnd.oci.image.manifest.v1+json", "size": 1682, "digest": "sha256:6db6e95b26c56459ffd63539e8f7b1418d15a8ba35e979bd61374779c20b80d3", "platform": { "architecture": "arm64", "os": "linux", "variant": "v8" } } ] }

$ skopeo --debug copy --dest-registry-token $gcr_auth_token containers-storage:localhost/nodeimage:9 docker://us.gcr.io/localhost/nodeimage:9 --multi-arch all

DEBU[0000] [graphdriver] trying provided driver "overlay"

DEBU[0000] Cached value indicated that overlay is supported

DEBU[0000] Cached value indicated that overlay is supported

DEBU[0000] Cached value indicated that metacopy is being used

DEBU[0000] Cached value indicated that native-diff is not being used

INFO[0000] Not using native diff for overlay, this may cause degraded performance for building images: kernel has CONFIG_OVERLAY_FS_REDIRECT_DIR enabled

DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=true

DEBU[0000] parsed reference into "[overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]localhost/nodeimage:9"

DEBU[0000] Using registries.d directory /etc/containers/registries.d

DEBU[0000] Loading registries configuration "/etc/containers/registries.conf"

DEBU[0000] Loading registries configuration "/etc/containers/registries.conf.d/000-shortnames.conf"

DEBU[0000] Loading registries configuration "/etc/containers/registries.conf.d/001-rhel-shortnames.conf"

DEBU[0000] Loading registries configuration "/etc/containers/registries.conf.d/002-rhel-shortnames-overrides.conf"

DEBU[0000] Found credentials for us.gcr.io/localhost/nodeimage in credential helper containers-auth.json in file /run/user/0/containers/auth.json

DEBU[0000] Lookaside configuration: using "default-docker" configuration

DEBU[0000] Using "sigstore-staging" file:///var/lib/containers/sigstore

DEBU[0000] Looking for TLS certificates and private keys in /etc/docker/certs.d/us.gcr.io

DEBU[0000] Sigstore attachments: using "default-docker" configuration

DEBU[0000] Using blob info cache at /var/lib/containers/cache/blob-info-cache-v1.boltdb

DEBU[0000] Source is a manifest list; copying all instances

Getting image list signatures

DEBU[0000] Manifest list has MIME type application/vnd.oci.image.index.v1+json, ordered candidate list [application/vnd.oci.image.manifest.v1+json, application/vnd.docker.distribution.manifest.v2+json, application/vnd.oci.image.index.v1+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.docker.distribution.manifest.v1+prettyjws, application/vnd.docker.distribution.manifest.v1+json]

DEBU[0000] ... will use the original manifest list type, and then try [application/vnd.docker.distribution.manifest.list.v2+json]

Copying 2 of 2 images in list

DEBU[0000] Copying instance sha256:e4cb67eb7189c6d7e02d7f394f3d28ea50af723ea853b984618b57d96aba4940 (1/2) Copying image sha256:e4cb67eb7189c6d7e02d7f394f3d28ea50af723ea853b984618b57d96aba4940 (1/2)

FATA[0000] copying image 1/2 from manifest list: determining manifest MIME type for containers-storage:[overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]localhost/nodeimage:9@410c25c084931697396bd851fb1c726d1d7d8cfb7de98c91ed1bd10e8b3226ea: reading manifest for image instance "sha256:e4cb67eb7189c6d7e02d7f394f3d28ea50af723ea853b984618b57d96aba4940": locating item named "manifest-sha256:e4cb67eb7189c6d7e02d7f394f3d28ea50af723ea853b984618b57d96aba4940" for image with ID "410c25c084931697396bd851fb1c726d1d7d8cfb7de98c91ed1bd10e8b3226ea" (consider removing the image to resolve the issue): file does not exist
opened by prashant0810 1
proxy: Add `OpenImageWithRequiredSignatures`

In the bootc/ostree-container effort, I am trying to enforce signatures being enabled by default. The thing is, we kind of say that e.g. podman run <some image from docker hub or whatever> is "secure" - in the sense I'm using the word, we can and do fix security problems we find (mostly in the kernel) in a relatively timely fashion.

But booting a container (or running with --privileged as well as some more subtle options) completely change that.

As part of the proxy, I'd like to add an OpenImageWithRequiredSignatures API that requires that the remote image is signed in some way configured in containers-policy.json - IOW that the policy for fetching the image does not fall through to insecureAcceptAnything.

(I think it would make sense to also add podman pull --sigpolicy=required or so)

When I looked at this, it seemed feasible but would require some changes in c/image. Let me know if you have any thoughts.
enhancement

opened by cgwalters 4

Releases(v1.9.3)

v1.9.3(Oct 19, 2022)

Fixes reads/writes of sigstore signatures/attachments in quay.io and registry.redhat.io
Source code(tar.gz)
Source code(zip)
v1.10.0(Oct 1, 2022)
skopeo inspect now provides more information about individual layers.

The default /etc/containers/registries.d/default.yaml now has all entries commented-out, to use built-in defaults; that can change the default for lookaside-staging to use an unprivileged users’ home directory instead of a path in /var/.

GHA: Re-use identical workflow from buildah repo

Optimize upstream skopeo container image build

Fix running tests on macOS

Reformat with Go 1.19's gofmt

Fix a comment

Fix looking for commands with GNU make 4.2.1

Talk about "registry repositories" in (skopeo sync) documentation

Point at --all in the --preserve-digests option documentation

Remove unused GIT_BRANCH definition

Don't include git commit from a parent directory in the --version output

Update for c/image's update of github.com/gobuffalo/pop

Merge pull request https://github.com/containers/skopeo/pull/1737 from mtrmac/pop-v5-override

Stop using docker/docker/pkg/homedir in tests

add inspect layersData

Don't abort sync if the registry returns invalid tags

warn users about --dest-compress and --dest-decompress misuse

document imageDestOptions.warnAboutIneffectiveOptions()

warn about ineffective destination opts in sync cmd

default.yaml should have all options commented

Fix documentation in the default registries.d content.

[CI:DOCS] Add quay-description update reminder

Revert addition of -compat=1.17 to (go mod tidy)

Update for https://github.com/klauspost/pgzip/pull/50

Source code(tar.gz)
Source code(zip)
v1.9.2(Aug 2, 2022)
[CI:DOCS] Cirrus: Use the latest imgts container

Cirrus: Update CI VM images to match podman CI

Bump github.com/containers/common from 0.49.0 to 0.49.1

Source code(tar.gz)
Source code(zip)
v1.9.1(Jul 25, 2022)
Bump github.com/sirupsen/logrus from 1.8.1 to 1.9.0

Bump github.com/containers/storage from 1.41.0 to 1.42.0

Update to github.com/containers/image/v5 v5.22.0

Update to github.com/containers/common v0.49.0

Stop using deprecated names from c/common/pkg/retry

Source code(tar.gz)
Source code(zip)
v1.9.0(Jul 13, 2022)
Adds support for copying non-image OCI artifacts, and for creating and enforcing sigstore signatures.

Shell autocompletions are now auto-generated, adding support for zsh, fish and PowerShell.

Now requires Go 1.17.

Bump github.com/docker/docker

Config files live in /usr/local/etc on FreeBSD

Avoid hard-coding the location of bash

Bump github.com/containers/storage from 1.40.2 to 1.41.0

Bump github.com/docker/docker

add completion command to generate shell completion scripts

Remove cgo_pthread_ordering_workaround.go

Update c/image

Stop calling gpgme-config

shell completion: add Makefile target

shell completion: add install instructions docs

shell completion: add completion for transports names

[CI:DOCS] Pin actions to a full length commit SHA

Updated skopeo logo with new artwork

Update to gopkg.in/yaml.v3 v3.0.0

fix make completions for all POSIX shells

Update to github.com/opencontainers/runc >= 1.1.2

Cirrus: use Ubuntu 22.04 LTS

Bump github.com/containers/ocicrypt from 1.1.4 to 1.1.5

Bump github.com/stretchr/testify from 1.7.1 to 1.7.2

Bump github.com/docker/docker

Update go.mod to Go 1.17

Use testing.T.Setenv instead of os.Setenv in tests

Change a repo used for sync tests

Use an updated CI image

Update for docker/distribution CLI change

Enable schema1 support on the test registries

CoPR: Autobuild rpm on rhcontainerbot/podman-next

[CI:DOCS] Makefile: include cautionary note for rpm target

[CI:DOCS] skopeo.spec.rpkg: Fix syntax highlighting

Bump github.com/spf13/cobra from 1.4.0 to 1.5.0

Bump github.com/stretchr/testify from 1.7.2 to 1.7.4

Bump github.com/stretchr/testify from 1.7.4 to 1.7.5

Cirrus: Migrate multiarch build off github actions

Update & fix skopeo multiarch image Containerfiles

Use bytes.ReplaceAll instead of bytes.Replace(..., -1)

Update IRC information

Bump github.com/stretchr/testify from 1.7.5 to 1.8.0

Introduce noteCloseFailure, use it for reporting of cleanup errors

Modify error messages on failures to close

Remove uses of pkg/errors

Use errors.As() instead of direct type checks

Vendor unreleased c/image with OCI artifact support

Revert "Change a repo used for sync tests"

Vendor in c/image with sigstore support

Add --sign-by-sigstore-private-key to (skopeo copy) and (skopeo sync)

Update for the renames of sigstore to lookaside

Source code(tar.gz)
Source code(zip)
v1.8.0(May 7, 2022)
What's Changed

v1.7.0 by @mtrmac in https://github.com/containers/skopeo/pull/1606

Update skopeoimage/README.md that tags are v-prefixed by @glensc in https://github.com/containers/skopeo/pull/1607

Add dry-run mode to skopeo-sync by @rhatdan in https://github.com/containers/skopeo/pull/1608

delete non-existent option in the cmdline example by @masatake in https://github.com/containers/skopeo/pull/1611

Add option to specify the identity for signing by @Jamstah in https://github.com/containers/skopeo/pull/1610

Update to benefit from Go 1.16 by @mtrmac in https://github.com/containers/skopeo/pull/1621

Improve the (skopeo delete) man page by @mtrmac in https://github.com/containers/skopeo/pull/1597

Update vendor of containers/(common,storage,image) by @rhatdan in https://github.com/containers/skopeo/pull/1626

Cirrus: Update to F36 w/ netavark+aardvark-dns by @cevich in https://github.com/containers/skopeo/pull/1631

[CI:DOCS] install.md: remove Kubic package info for Ubuntu by @lsm5 in https://github.com/containers/skopeo/pull/1632

[CI:DOCS] install.md: include distro package info links by @lsm5 in https://github.com/containers/skopeo/pull/1633

Vendor in containers/(common, storage, image) by @rhatdan in https://github.com/containers/skopeo/pull/1635

Vendor in containers/storage v1.40.2 by @rhatdan in https://github.com/containers/skopeo/pull/1636

New Contributors

@glensc made their first contribution in https://github.com/containers/skopeo/pull/1607

@masatake made their first contribution in https://github.com/containers/skopeo/pull/1611

Full Changelog: https://github.com/containers/skopeo/compare/v1.7.0...v1.8.0
Source code(tar.gz)
Source code(zip)
v1.6.2(Apr 1, 2022)
Update the command to install golint

Bump github.com/prometheus/client_golang to v1.11.1

Source code(tar.gz)
Source code(zip)
v1.7.0(Mar 24, 2022)
skopeo list-tags docker-archive:… is now available.

Improve a comment in the 010-inspect.bats test

do not recommend upgrading all packages

Bump github.com/containers/image/v5 from 5.19.1 to 5.20.0

Update github.com/containerd/containerd

Bump github.com/docker/docker

Bump github.com/spf13/cobra from 1.3.0 to 1.4.0

Add support for docker-archive: to skopeo list-tags

Rename "self" receiver

Remove assignments to an unused variable

Add various missing error handling

Simplify the proxy server a bit

Bump github.com/stretchr/testify from 1.7.0 to 1.7.1

Use assert.ErrorContains

Update to Go 1.14 and revendor

Use check.C.MkDir() instead of manual ioutil.TempDir() calls

Formally record that we require Go 1.15

Update the command to install golint

Bump github.com/containers/ocicrypt from 1.1.2 to 1.1.3

Bump github.com/docker/docker

Bump github.com/containers/storage from 1.38.2 to 1.39.0

Bump github.com/containers/common from 0.47.4 to 0.47.5

Bump github.com/prometheus/client_golang to v1.11.1

Source code(tar.gz)
Source code(zip)
v1.6.1(Feb 16, 2022)
What's Changed

Release v1.6.0 by @mtrmac in https://github.com/containers/skopeo/pull/1561

tests: skip sif test on RHEL by @edsantiago in https://github.com/containers/skopeo/pull/1564

Bump c/common to v0.47.4 by @TomSweeneyRedHat in https://github.com/containers/skopeo/pull/1565

Cirrus: Use updated VM images by @cevich in https://github.com/containers/skopeo/pull/1558

Don't expect the config blob to be listed in (skopeo inspect) by @mtrmac in https://github.com/containers/skopeo/pull/1572

Resolved workaround by @mtrmac in https://github.com/containers/skopeo/pull/1568

Full Changelog: https://github.com/containers/skopeo/compare/v1.6.0...v1.6.1
Source code(tar.gz)
Source code(zip)
v1.6.0(Feb 2, 2022)
Highlights:

A new sif: transport

New options --multi-arch, --preserve-digests, --sign-passphrase-file

Use a dynamic temp dir for test

Add an option to allow copying image indexes alone

proxy: Add a GetFullConfig method

proxy: Also bump compatible semver

Add option to preserve digests on copy

Run codespell on code

prompt-less signing via passphrase file

add a SIF systemtest

Merge pull request #1550 from vrothberg/sif-test

Improve the documentation of the argument to (skopeo inspect)

Document where various fields of (skopeo inspect) come from

Improve the documentation of boolean flags

Source code(tar.gz)
Source code(zip)
v1.5.2(Nov 26, 2021)
What's Changed

Includes a fix for CVE-2021-41190 / GHSA-77vh-xpmg-72qh .

use fedora:latest in contrib/skopeoimage/*/Dockerfile

Fix test bug that prevented useful diagnostics on registry fail

proxy: Add an API to fetch the config upconverted to OCI

proxy: Add support for manifest lists

proxy: Uncapitalize all errors

Cirrus: Bump Fedora to release 35 & Ubuntu to 21.10

Update to c/image v5.17.0

Full Changelog: https://github.com/containers/skopeo/compare/v1.5.1...v1.5.2
Source code(tar.gz)
Source code(zip)
v1.5.1(Nov 4, 2021)
What's Changed

Bump to v1.5.1

main: Error out if an unrecognized subcommand is provided

move optional-flag code to c/common/pkg/flag

Add --dest-precompute-digests option for docker

bump containers/image to 2541165

Add instructions to generate static binaries

Add new experimental-image-proxy hidden command

issue#785 inspect command - introduce a way to skip querying available tags for an image

Document container images as an alternative to installing packages

Introduce --username and --password to pass credentials

Move to v1.5.1-dev

Full Changelog: https://github.com/containers/skopeo/compare/v1.5.0...v1.5.1
Source code(tar.gz)
Source code(zip)
v1.5.0(Oct 6, 2021)
What's Changed

Bump github.com/docker/docker from 20.10.7+incompatible to 20.10.8+incompatible by @dependabot in https://github.com/containers/skopeo/pull/1404

[CI:DOCS] Github: Add workflow to monitor Cirrus-Cron builds by @cevich in https://github.com/containers/skopeo/pull/1405

Cirrus: Run checks directly on the host by @cevich in https://github.com/containers/skopeo/pull/1334

systemtests: if registry times out, show container logs by @edsantiago in https://github.com/containers/skopeo/pull/1413

Add codespell fixes by @rhatdan in https://github.com/containers/skopeo/pull/1414

[CI:DOCS] Add OWNERS file by @rhatdan in https://github.com/containers/skopeo/pull/1420

Update non-module dependencies by @mtrmac in https://github.com/containers/skopeo/pull/1428

Run (gofmt -s -w) by @mtrmac in https://github.com/containers/skopeo/pull/1427

Bump github.com/containers/storage from 1.33.1 to 1.37.0 by @dependabot in https://github.com/containers/skopeo/pull/1439

Introduce DISABLE_DOCS to skip doc generation while building from source by @jaikiran in https://github.com/containers/skopeo/pull/1443

Update VM Images + Drop prior-ubuntu references by @cevich in https://github.com/containers/skopeo/pull/1444

Update to github.com/vbauerster/mpb v7.1.5 by @mtrmac in https://github.com/containers/skopeo/pull/1455

Remove the extra (defaults to true) help msg by @rhatdan in https://github.com/containers/skopeo/pull/1431

Bump github.com/containers/common from 0.42.0 to 0.46.0 by @dependabot in https://github.com/containers/skopeo/pull/1462

drop nix support by @lsm5 in https://github.com/containers/skopeo/pull/1463

Update installation doc with latest steps by @lsm5 in https://github.com/containers/skopeo/pull/1464

Introduce a --ignore option to allow "sync" command to continue syncing even after a particular image sync fails by @jaikiran in https://github.com/containers/skopeo/pull/1468

Update github.com/containerd/containerd to v1.5.7 by @mtrmac in https://github.com/containers/skopeo/pull/1472

Remove leftover Nix packaging files by @mtrmac in https://github.com/containers/skopeo/pull/1473

Bump github.com/docker/docker from 20.10.8+incompatible to 20.10.9+incompatible by @dependabot in https://github.com/containers/skopeo/pull/1471

Bump github.com/containers/image/v5 from 5.15.0 to 5.16.1 by @dependabot in https://github.com/containers/skopeo/pull/1474

Full Changelog: https://github.com/containers/skopeo/compare/v1.4.0...v1.5.0
Source code(tar.gz)
Source code(zip)
v1.4.1(Aug 20, 2021)
[release-1.4] Bump to v1.4.1

[release-1.4] Bump c/image 5.15.2 c/storage 1.34.1 c/common 0.42.1

[release-1.4] Bump c/storage 1.34.0, c/image 5.15.1 and c/common 0.43.0

Source code(tar.gz)
Source code(zip)
v1.4.0(Aug 2, 2021)
vendor-in-container: update to golang:1.16

Accept repositories on login/logout

update c/common, c/image, c/storage

Update on Building on Ubuntu

Add timeouts when waiting on OpenShift or the registry to start

Add docs and bash completions

Add support for decompressing while copying to dir://

Update to enabled containers/image version

Fix two instances of unused err found by go-staticcheck

Bump github.com/containers/storage from 1.32.6 to 1.33.0

Multi-arch image build: Daily version-tag push

CONTRIBUTING: small fixes to commands

Fix --tls-verify

Test both imageOptions and imageDestOptions in TestTLSVerifyFlags

Split testing of --tls-verify into separate TestTLSVerifyFlags

Add the --tls-verify option to (skopeo logout)

Fix using images from rate-limited docker hub

Use Fedora container for doccheck

Man page validation: part 2 of 2

docs: Adding info re container signatures

[CI:DOCS] Multi-arch image workflow: Make steps generic

Update nix pin with make nixpkgs

Cirrus: Freshen CI images

Bump github.com/containers/common from 0.40.1 to 0.41.0

Bump github.com/containers/storage from 1.32.5 to 1.32.6

Remove an unnecessary break

Remove an unnecessary Sprintf

Fix TestDockerRepositoryReferenceParser

Remove unused code

Set cobra.Command.CompletionOption already in createApp

Bump version to v1.4.0-dev

Revert "integration tests: disable ls for logs"

CONTRIBUTING: update vendoring instructions

disable completion command

Bump github.com/spf13/cobra from 1.2.0 to 1.2.1

Bump github.com/spf13/cobra from 1.1.3 to 1.2.0

Update tests for removal of error and Error from error messages

Fix some comments in man-page-checker

Improve the description of (skopeo list-tags)

Include the mandatory --output option in synopsis of (skopeo standalone-sign)

Support non-replaceable strings in synopsis

Use (make validate-local) in the validate target

man page checker - part 1 of 2

Cirrus: Rename cross -> osx task, add cross task.

Bump github.com/containers/ocicrypt from 1.1.1 to 1.1.2

Cirrus: Add vendor + tree status check

Run unit tests as well, not integration tests twice

Bump github.com/containers/storage from 1.32.4 to 1.32.5

Reintroduce the GNU semantics of DESTDIR

Add --retry-times to markdown docs

Workaround quay.io image build failure

Update brew to avoid 403 on accessing https://homebrew.bintray.com

Fix automation re: master->main rename

Bump github.com/containers/storage from 1.32.3 to 1.32.4

Bump github.com/containers/common from 0.40.0 to 0.40.1

Bump github.com/containers/storage from 1.32.2 to 1.32.3

Bump github.com/containers/image/v5 from 5.13.1 to 5.13.2

Fix documentation of the --format option of skopeo copy and skopeo sync

Bump github.com/containers/common from 0.39.0 to 0.40.0

Cirrus: New VM Images w/ podman 3.2.1

Bump github.com/containers/image/v5 from 5.12.0 to 5.13.1

Update nix pin with make nixpkgs

Fix multi-arch build version check

[CI:DOCS] Fix docs links due to branch rename

Bump github.com/containers/storage from 1.32.1 to 1.32.2

Update nix pin with make nixpkgs

Bump github.com/docker/docker

Fix wrong directory name

Support [CI:DOCS] mode

install.md Building Docs needs MacOS section

Bump github.com/containers/storage from 1.32.0 to 1.32.1

Bump github.com/containers/common from 0.38.4 to 0.39.0

Multi-arch github-action workflow unification

Bump github.com/containers/storage from 1.31.1 to 1.31.2

Move to v1.3.1-dev

Source code(tar.gz)
Source code(zip)
v1.3.1(Jun 29, 2021)
[release-1.3] Bump skopeo v1.3.1, c/storage v1.31.3, c/common v0.38.11

Source code(tar.gz)
Source code(zip)

v1.3.0(May 19, 2021)

Add the missing import and a gitignore entry for bin
Added `format` parameter to `sync` command
Bump github.com/containers/common from 0.36.0 to 0.38.4
Bump github.com/containers/image/v5 from 5.11.1 to 5.12.0
Bump github.com/containers/storage from 1.30.0 to 1.30.1
Cirrus: Improve test synchronization with c/image
Fix typos in docstrings
Makefile: Ensure policy.json uses new variable
Remove older distro docs
Travis -> Cirrus: MacOS Cross test
Travis -> Cirrus: validate, vendor, and test
Update F34beta -> F34 and U2010 -> U2104
Update nix pin with `make nixpkgs`
Upgrade to GitHub-native Dependabot
copy: Add --digestfile

Source code(tar.gz)
Source code(zip)

v1.2.3(Apr 15, 2021)

020-copy.bats: check that we set the manifest type correctly
Add local integration and system test targets
Bump github.com/containers/ocicrypt from 1.0.3 to 1.1.0
Bump github.com/gogo/protobuf/proto to v1.3.2
Bump github.com/spf13/cobra from 1.1.1 to 1.1.2
Bump github.com/stretchr/testify from 1.6.1 to 1.7.0
Bump skopoeoimage Dockerfiles to user Fedora 33
Cirrus: Add hack/get_ci_vm.sh support
Cirrus: Initial implementation support for GCP VMs
Cirrus: Update to use F34beta VM images
Dockerfile.build: switch to fedora:latest
Enable 'OptimizeDestinationImageAlreadyExists' feature
Fix Makefile to handle PREFIX correctly
Fix Makefile to handle PREFIX correctly
Fix for login / logout registry argument
Fix skipping tests in test container
Migrate tests from docker.io
Rebase against master and improve comment about gpgme-config
Set User-Agent to skopeo/$VERSION
Update github.com/containers/storage, containers/common, containers/image ...
Update nix pin with `make nixpkgs`
Update to F34beta images + add hack/get_ci_vm.sh script
Upgrade dsnet/compress to avoid vulnerable xz version
Vendor in latest golang.org/x/crypto
skopeo images: set authfile to /tmp/auth.json

Source code(tar.gz)
Source code(zip)

v1.2.2(Feb 18, 2021)
Bump golang.org/x/crypto to the latest

Bump vendor/modules.txt in release-1.2

Fix gating test in release-1.2 port

Bump c/common c/image and c/storage to latest

Bump to Skopeo v1.2.2

Source code(tar.gz)
Source code(zip)
v1.2.1(Jan 11, 2021)
Include OBS install steps for CentOS

Makefile: add a local-cross target

Add Subject Alternative Name to local openssl cert

Update nix pin with make nixpkgs

Make Makefile a little easier to use

Update README.md

Update install.md

install.md: mention Nix/NixOS

Fix skopeo login example in README

Use osusergo build tag for static build

Travis: bump go to 1.15.x

integration tests: disable ls for logs

Dockerfile: install openssl

Avoid overriding LDFLAGS in Makefile

Add multi-arch builds for upstream and stable skopeo image via Travis

Fix #858 Add support for digests in sync

Fix #858 Add --all sync flag to emulate copy --all

install: make commands copy-pasteable

Support namespaced logins for quay.io

Switch to using errors.Wrapf rather then fmt.Errorsf

Add --format option to skopeo inspect

Add information about multi-arch image to README

Fix naming and language

vendor in containers/storage v1.24.1 containers/image v5.8,1

Update installation docs for debian and ubuntu

Update OSX Travis env before running tests

Update to macOS 10.14

Update debian/ubuntu docs

Spelling

Fix creds sync from yaml

Fix reading the after-sync list of tags in SyncSuite.TestYamlUntagged

Update vendor of containers/common and containers/storage

Integration test: use fedora-minimal for most manifest list tests

Integration test: sync k8s.gcr.io/pause instead of docker.io/alpine

Split copyWithSignedIdentity from TestCopyVerifyingMirroredSignatures

Add a smoke test for signedIdentity:remapIdentity

Source code(tar.gz)
Source code(zip)

v1.2.0(Sep 25, 2020)

-buildmode=pie is not supported for some arch
A couple of minor code cleanups.
Add --registry-token flags to support Bearer token authentication
Add --registry-token tests to utils_tests.go
Add an extra clarification to skopeo-copy(1)
Add an extra clarification to skopeo-copy(1)
Add oci-archive to transport list, and link to the authoritative man page
Adding periods
Build static binary with `buildGoModule`
Bump github.com/containers/common from 0.14.0 to 0.22.0
Bump github.com/containers/image/v5 from 5.5.1 to 5.6.0
Bump github.com/containers/ocicrypt from 1.0.2 to 1.0.3
Bump github.com/containers/storage from 1.21.1 to 1.23.5
Cleanup Dockerfile builds
Dockerfile.build: Upgrade to Ubuntu 20.04
Fix macOS builds in Travis
Fix make clean to actually remove binaries
Fix problems found by codespell
Fix skopeo-login docs typo
Keep options order in code and add missing bash completions
Make InspectOutput an external object
Remove an obsolete documentation of (make binary-static)
Retry on skopeo subcommands
Retry skopeo inspect command
Run htpasswd from our build-container instead of registry:2
Switch containers/libpod->containers/podman
Update nix pin with `make nixpkgs`
Use an inter-registry copy as the example for (skopeo copy)
Use c/common retry package
fix build in docker container
nix run -f channel:nixos-20.03
update enc/dec docs to be consistent with buildah
use base image golang for build
vendor golang.org/x/[email protected]

Source code(tar.gz)
Source code(zip)

v1.1.1(Jul 29, 2020)
Run htpasswd from our build-container instead of registry:2

vendor golang.org/x/[email protected]

Source code(tar.gz)
Source code(zip)

v1.1.0(Jun 18, 2020)

Add Skopeo Stable Image Dockerfile for Quay
Add tags to support regular expressions in yaml conf
Add tags to support regular expressions without breaking the old ones in yaml conf
Add upstream and testing container images
Add upstream and testing container images
Bump github.com/containers/storage from 1.20.1 to 1.20.2
Bump github.com/stretchr/testify from 1.6.0 to 1.6.1
Clarify control flow when handling the tags list
Clarify imagesToCopy control flow
Correct a typo in docs/skopeo-sync.1.md
Don't use path.Join to form repository names
Drop redundant fmt.Sprintf inside erorrs.Wrapf/Errorf
Fix error handling on invalid regex
Fix the recently added example in the man page.
Inline isTagSpecified into its only caller
Only create a SystemContext once per registry
Remove the repoReference parameter of imagesToCopyFromRepo
Share the logrus.WithFields settings over the loop bodies
Use MatchString instead of Match with a manual conversion
Use a reference.Named, not types.ImageReference, in imagesToCopyFromRepo
Use a separate field for the "sync images with tag matching regex" feature
Use reference.Tagged to extract the tag from a reference
Work with a reference.Named, not strings, in imagesToCopyFromRegistry
there is a brew formula for skopeo
vendor github.com/containers/common v0.14.0
vendor github.com/containers/image/[email protected]

Source code(tar.gz)
Source code(zip)

v1.0.0(May 18, 2020)
Skopeo 1.0 release

New features in this release skopeo login skopeo logout

. Update skopeo readme and man page . Add links to configuration man pages . Update docs/skopeo-sync.1.md . Add skopeo Login from c/common . Add skopeo login&logout . Add Security Policy . Add tests for using signatures with mirrors . Update c/image for https://github.com/containers/image/pull/912 . fix copy doc . Use cobra in skopeo . Fix TestCopyAtomicExtension . Update containers/image to v5.4.4 . Bump github.com/containers/storage from 1.18.2 to 1.19.0 . v0.11.2 containers/common
Source code(tar.gz)
Source code(zip)

v0.2.0(Apr 9, 2020)

Update on #834: force runc only when cgroupsv1
Update docs/skopeo.1.md
Add example with repository
Skopeo should support for BigFilesTemporaryDir (SystemContext)
Use fully-qualified image names
Add Ubuntu/Debian install instructions
CI: force Podman to use runc
add support for REGISTRY_AUTH_FILE
Partial image encryption support
Remove the list_tags integration test since it does not cover much not already tested by the upstream container/images repo or local unit tests
Updates based on code review to simplify logic and tests
Fix inconsistency in manpage example for list-tags
Fix formatting on test
Adds "list-tags" command to list tags with no known tag required. Fixes #276

Source code(tar.gz)
Source code(zip)

v0.1.41(Feb 7, 2020)
Bump github.com/containers/image/v5 from 5.2.0 to 5.2.1

Bump gopkg.in/yaml.v2 from 2.2.7 to 2.2.8

Bump github.com/containers/common from 0.0.7 to 0.1.4

Remove the reference to openshift/api

vendor github.com/containers/image/[email protected]

Manually update buildah to v1.13.1

add specific authfile options to copy (and sync) command.

Bump github.com/containers/buildah from 1.11.6 to 1.12.0

Add context to --encryption-key / --decryption-key processing failures

Bump github.com/containers/storage from 1.15.2 to 1.15.3

Bump github.com/containers/buildah from 1.11.5 to 1.11.6

remove direct reference on c/image/storage

Makefile: set GOBIN

Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.7

Bump github.com/containers/storage from 1.15.1 to 1.15.2

Introduce the sync command

openshift cluster: remove .docker directory on teardown

Bump github.com/containers/storage from 1.14.0 to 1.15.1

document installation via apk on alpine

Fix typos in doc for image encryption

Image encryption/decryption support in skopeo

make vendor-in-container

Bump github.com/containers/buildah from 1.11.4 to 1.11.5

Travis: use go v1.13

Use a Windows Nano Server image instead of Server Core for multi-arch testing

Increase test timeout to 15 minutes

Run the test-system container without --net=host

Mount /run/systemd/journal/socket into test-system containers

Don't unnecessarily filter out vendor from (go list ./...) output

Use -mod=vendor in (go {list,test,vet})

Bump github.com/containers/buildah from 1.8.4 to 1.11.4

Bump github.com/urfave/cli from 1.20.0 to 1.22.1

skopeo: drop support for ostree

Don't critically fail on a 403 when listing tags

Revert "Temporarily work around auth.json location confusion"

Remove references to atomic

Remove references to storage.conf

Dockerfile: use golang-github-cpuguy83-go-md2man

bump version to v0.1.41-dev

systemtest: inspect container image different from current platform arch

Source code(tar.gz)
Source code(zip)
v0.1.40(Oct 29, 2019)
vendor containers/image v5.0.0

copy: add a --all/-a flag

System tests: various fixes

Temporarily work around auth.json location confusion

copy: add --dest-compress-format and --dest-compress-level

flag: add optionalIntValue

Makefile: use go proxy

inspect --raw: skip the NewImage() step

update OCI image-spec to 775207bd45b6cb8153ce218cc59351799217451f

inspect.go: inspect env variables

ostree: use both image and & storage buildtags

Source code(tar.gz)
Source code(zip)
v0.1.39(Aug 6, 2019)
update github.com/containers/{image,storage}

ostree: use the correct build tags

Source code(tar.gz)
Source code(zip)
v0.1.38(Aug 2, 2019)
vendor github.com/containers/[email protected]

enforce blocking of registries

Fix lowest possible go version to be 1.9

man pages: add --dest-oci-accept-uncompressed-layers

bash completion: add --dest-oci-accept-uncompressed-layers

README.md: skopeo on openSUSE

copy: add a CLI flag for OCIAcceptUncompressedLayers

migrate to go modules

README: Clarify use of libbtrfs-dev on Ubuntu

Source code(tar.gz)
Source code(zip)

v0.1.36(May 18, 2019)

rootless: don't create a namespace unless for containers-storage
Fix typo on the main man page
inspect: add a --config flag
Add --no-creds flag to skopeo inspect
Vendor update container/storage
Vendor update container/image    
Vendor update container/buildah
rootless: do not create a user namespace if not needed
skopeo: create a userns when running rootless
completions: Use only spaces in indent
completions: Fix completions with a global option

Source code(tar.gz)
Source code(zip)