Week 3 - `skopeo` Deep Dive: Multi-Arch, Signing, Sync¶

3.1 Conceptual Core¶

skopeo is the image-manipulation tool that doesn't require a daemon or storage backend. It can copy between any of: docker:// (registry), oci: (local OCI layout), dir: (raw blob dir), containers-storage: (local CRI-style store), oci-archive:, docker-archive:.
skopeo is also how you do registry maintenance: mirror, sync, prune, inspect manifests without pulling layers.

skopeo inspect - show a manifest without downloading layers. - -raw for the manifest as bytes. - -configfor the config blob. - -format with Go templates for scripting.
skopeo copy --all - for multi-platform images, copy the entire index (all platforms). Without - -all, skopeo selects the running platform's manifest.
`skopeo sync - mirror a registry/repo to another registry or to a local OCI dir. The reference tool for air-gapped ops.
skopeo login, skopeo logout - credentials in${XDG_RUNTIME_DIR}/containers/auth.json`.

Pull a multi-arch image as an OCI index. Inspect each per-platform manifest.
Write a script that, given an image reference, prints a table of platforms, layer counts, total compressed/uncompressed sizes, and labels.
Use skopeo sync to mirror three images into your local registry. Verify by pulling the mirrored versions.
Compare skopeo copy of a 1-GB image with and without - -multi-arch index-only` on the destination side.

Configure skopeo to verify signatures on copy ( - -policy - aware policy.json). The default policy is "insecureAcceptAnything"-change this in production.

Build a CI job: on every release tag, copy the image from a "staging" registry path to a "production" path only after a Cosign signature is verified. Implementation in week 19 (cosign verify).