skopeo man page

skopeo -- Various operations with container images images and container image registries


skopeo [global options] command [command options]


skopeo is a command line utility providing various operations with container images and container image registries. For example, it is able to inspect a repository on a Docker registry and fetch image. It fetches the repository's manifest and it is able to show you a docker inspect-like json output about a whole repository or a tag. This tool, in contrast to docker inspect, helps you gather useful information about a repository or a tag without requiring you to run docker pull - e.g. - which tags are available for the given repository? which labels the image has?

It also allows you to copy container images between various registries, possibly converting them as necessary, and to sign and verify images.

Image Names

Most commands refer to container images, using a transport:details format. The following formats are supported:

An image in the current project of the current default Atomic
Registry. The current project and Atomic Registry instance are by
default read from $HOME/.kube/config, which is set e.g. using
(oc login).

An existing local directory path storing the manifest, layer
tarballs and signatures as individual files. This is a
non-standardized format, primarily useful for debugging or
noninvasive container inspection.

An image in a registry implementing the "Docker Registry HTTP API V2".
By default, uses the authorization state in $HOME/.docker/config.json,
which is set e.g. using (docker login).

An image tag in a directory compliant with "Open Container Image
Layout Specification" at path.


enable debug output
--cert-path path
Use certificates at path (cert.pem, key.pem) to connect to the registry
--policy path-to-policy
Path to a policy.json file to use for verifying signatures and deciding whether an image is trusted, overriding the default trust policy file.
--registries.d dir
use registry configuration files in dir (e.g. for docker signature storage), overriding the default path.
--tls-verify bool-value
Require HTTPS and verify certificates when talking to docker registries (defaults to true)
Show help
print the version number

skopeo copy

skopeo copy [--sign-by=key-ID] source-image destination-image

Copy an image (manifest, filesystem layers, signatures) from one location to another.

Uses the system's trust policy to validate images, rejects images not trusted by the policy.

source-image use the "image name" format described above

destination-image use the "image name" format described above

--remove-signatures do not copy signatures, if any, from source-image. Necessary when copying a signed image to a destination which does not support signatures.

--sign-by=key-id add a signature using that key ID for an image name corresponding to destination-image

--src-creds username[:password] for accessing the source registry

--dest-creds username[:password] for accessing the destination registry

Existing signatures, if any, are preserved as well.

skopeo delete

skopeo delete image-name

Mark image-name for deletion. To release the allocated disk space, you need to execute the docker registry garabage collector. E.g.,

$ docker exec -it registry bin/registry garbage-collect /etc/docker/registry/config.yml

--creds username[:password] for accessing the registry

Additionally, the registry must allow deletions by setting REGISTRY_STORAGE_DELETE_ENABLED=true for the registry daemon.

skopeo inspect

skopeo inspect [--raw] image-name

Return low-level information about image-name in a registry

--raw output raw manifest, default is to format in JSON

image-name name of image to retrieve information about

--creds username[:password] for accessing the registry

skopeo layers

skopeo layers image-name

Get image layers of image-name

image-name name of the image to retrieve layers

skopeo manifest-digest

skopeo manifest-digest manifest-file

Compute a manifest digest of manifest-file and write it to standard output.

skopeo standalone-sign

skopeo standalone-sign manifest docker-reference key-fingerprint --output|-o signature

This is primarily a debugging tool, or useful for special cases, and usually should not be a part of your normal operational workflow; use skopeo copy --sign-by instead to publish and sign an image in one step.

manifest Path to a file containing the image manifest

docker-reference A docker reference to identify the image with

key-fingerprint Key identity to use for signing

--output|-o output file

skopeo standalone-verify

skopeo standalone-verify manifest docker-reference key-fingerprint signature

Verify a signature using local files, digest will be printed on success.

manifest Path to a file containing the image manifest

docker-reference A docker reference expected to identify the image in the signature

key-fingerprint Expected identity of the signing key

signature Path to signature file

Note: If you do use this, make sure that the image can not be changed at the source location between the times of its verification and use.

skopeo help

show help for skopeo


Default trust policy file, if --policy is not specified.
The policy format is documented in ⟨…⟩ .

Default directory containing registry configuration, if --registries.d is not specified.
The contents of this directory are documented in ⟨…⟩ .

skopeo copy

To copy the layers of the busybox image to a local directory:

$ mkdir -p /var/lib/images/busybox
$ skopeo copy docker://busybox:latest dir:/var/lib/images/busybox
$ ls /var/lib/images/busybox/*

To copy and sign an image:

$ skopeo copy --sign-by atomic:example/busybox:streaming atomic:example/busybox:gold

skopeo delete

Mark image example/pause for deletion from the registry:

$ skopeo delete --force docker://

See above for additional details on using the command delete.

skopeo inspect

To review information for the image fedora from the registry:

$ skopeo inspect docker://
    "Name": "",
    "Digest": "sha256:a97914edb6ba15deb5c5acf87bd6bd5b6b0408c96f48a5cbd450b5b04509bb7d",
    "RepoTags": [
    "Created": "2016-06-20T19:33:43.220526898Z",
    "DockerVersion": "1.10.3",
    "Labels": {},
    "Architecture": "amd64",
    "Os": "linux",
    "Layers": [

skopeo layers

Another method to retrieve the layers for the busybox image from the registry:

$ skopeo layers docker://busybox
$ ls layers-500650331/

skopeo manifest-digest

$ skopeo manifest-digest manifest.json

skopeo standalone-sign

$ skopeo standalone-sign busybox-manifest.json 1D8230F6CDB6A06716E414C1DB72F2188BB46CC8 --output busybox.signature

See skopeo copy above for the preferred method of signing images.

skopeo standalone-verify

$ skopeo standalone-verify busybox-manifest.json 1D8230F6CDB6A06716E414C1DB72F2188BB46CC8  busybox.signature
Signature verified, digest sha256:20bf21ed457b390829cdbeec8795a7bea1626991fda603e0d01b4e7f60427e55


Antonio Murdaca ⟨⟩, Miloslav Trmac ⟨⟩, Jhon Honce ⟨⟩


Skopeo Man Pages Jhon Honce August 2016