diff --git a/go.mod b/go.mod
index c20741820dd..044d3a5ee5c 100644
--- a/go.mod
+++ b/go.mod
@@ -141,3 +141,9 @@ require (
 	sigs.k8s.io/yaml v1.6.0 // indirect
 	tags.cncf.io/container-device-interface/specs-go v1.0.1-0.20251120202831-139ffec09210 // indirect
 )
+
+replace go.podman.io/common => github.com/lsm5/container-libs/common v0.0.0-20251123192254-a762705ceceb
+
+replace go.podman.io/storage => github.com/lsm5/container-libs/storage v0.0.0-20251123192254-a762705ceceb
+
+replace go.podman.io/image/v5 => github.com/lsm5/container-libs/image/v5 v5.0.0-20251123192254-a762705ceceb
diff --git a/go.sum b/go.sum
index d6d571cac4f..0732a580b67 100644
--- a/go.sum
+++ b/go.sum
@@ -156,6 +156,12 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec h1:2tTW6cDth2TSgRbAhD7yjZzTQmcN25sDRPEeinR51yQ=
 github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec/go.mod h1:TmwEoGCwIti7BCeJ9hescZgRtatxRE+A72pCoPfmcfk=
+github.com/lsm5/container-libs/common v0.0.0-20251123192254-a762705ceceb h1:8izyD5GjMzpnyuJinlX0IEKV9BPOlPkK44Ep3EelcoA=
+github.com/lsm5/container-libs/common v0.0.0-20251123192254-a762705ceceb/go.mod h1:8qbjUhjwp4i5u1O19vzwYW2qwIuPdFXIuv4nl3Z8px8=
+github.com/lsm5/container-libs/image/v5 v5.0.0-20251123192254-a762705ceceb h1:PVKQntSZ77ZnsCMOx5XTJR2OYTgnj0b5T+gFoGDM928=
+github.com/lsm5/container-libs/image/v5 v5.0.0-20251123192254-a762705ceceb/go.mod h1:9DniP9NaGH03kzwNKYEtOXgRJwO+cQHENH+G4sOwLNc=
+github.com/lsm5/container-libs/storage v0.0.0-20251123192254-a762705ceceb h1:Oh5nBdlI1mOJyLALWuVQMMIEba0nsnkvKtoCjBl103M=
+github.com/lsm5/container-libs/storage v0.0.0-20251123192254-a762705ceceb/go.mod h1:4p18A5ymiiJTllTu2Eo7CX88SO+V110TMzi31pXsb1s=
 github.com/manifoldco/promptui v0.9.0 h1:3V4HzJk1TtXW1MTZMP7mdlwbBpIinw3HztaIlYthEiA=
 github.com/manifoldco/promptui v0.9.0/go.mod h1:ka04sppxSGFAtxX0qhlYQjISsg9mR4GWtQEhdbn6Pgg=
 github.com/mattn/go-runewidth v0.0.19 h1:v++JhqYnZuu5jSKrk9RbgF5v4CGUjqRfBm05byFGLdw=
@@ -322,12 +328,6 @@ go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJr
 go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
 go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4=
 go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE=
-go.podman.io/common v0.66.1-0.20251120131032-23712697ddda h1:Ib1vIEYB5eCSz3G09sROyY/j09jztFlWRm4G52vWj3k=
-go.podman.io/common v0.66.1-0.20251120131032-23712697ddda/go.mod h1:8qbjUhjwp4i5u1O19vzwYW2qwIuPdFXIuv4nl3Z8px8=
-go.podman.io/image/v5 v5.38.1-0.20251120131032-23712697ddda h1:YySc/E4bpD5b5y4kFN/7ZDo5JcXnOpPfwU78kH9D+EU=
-go.podman.io/image/v5 v5.38.1-0.20251120131032-23712697ddda/go.mod h1:9DniP9NaGH03kzwNKYEtOXgRJwO+cQHENH+G4sOwLNc=
-go.podman.io/storage v1.61.1-0.20251120131032-23712697ddda h1:bC4fEguil4pwVp2U2zKWUC5ouqIwRDdtyJxtX1bPY+0=
-go.podman.io/storage v1.61.1-0.20251120131032-23712697ddda/go.mod h1:4p18A5ymiiJTllTu2Eo7CX88SO+V110TMzi31pXsb1s=
 go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
 go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
diff --git a/vendor/go.podman.io/common/pkg/config/containers.conf b/vendor/go.podman.io/common/pkg/config/containers.conf
index fd337831c9d..a25f53f8fa6 100644
--- a/vendor/go.podman.io/common/pkg/config/containers.conf
+++ b/vendor/go.podman.io/common/pkg/config/containers.conf
@@ -216,12 +216,12 @@ default_sysctls = [
 #
 #log_driver = "k8s-file"
 
-# Default path for container logs to be stored in. When empty, logs will be stored 
+# Default path for container logs to be stored in. When empty, logs will be stored
 # in the container's default storage and removed when the container is removed.
-# A subdirectory named with the container ID will be created under the specified 
+# A subdirectory named with the container ID will be created under the specified
 # path, and the log file will have the default name `ctr.log` within that directory.
 # This option can be overridden by the `--log-opt` flag.
-# 
+#
 #log_path = ""
 
 # Maximum size allowed for the container log file. Negative numbers indicate
@@ -359,7 +359,7 @@ default_sysctls = [
 # already containers/images or CNI networks preset it will choose CNI.
 #
 # Before changing this value all containers must be stopped otherwise it is likely that
-# iptables rules and network interfaces might leak on the host. A reboot will fix this.
+# firewall rules and network interfaces might leak on the host. A reboot will fix this.
 #
 #network_backend = ""
 
@@ -384,7 +384,7 @@ default_sysctls = [
 
 # The firewall driver to be used by netavark.
 # The default is empty which means netavark will pick one accordingly. Current supported
-# drivers are "iptables", "nftables", "none" (no firewall rules will be created) and "firewalld" (firewalld is
+# drivers are "nftables", "none" (no firewall rules will be created) and "firewalld" (firewalld is
 # experimental at the moment and not recommend outside of testing).
 #
 #firewall_driver = ""
@@ -542,10 +542,14 @@ default_sysctls = [
 #
 #enable_port_reservation = true
 
-# Environment variables to be used when running the container engine (e.g., Podman, Buildah).
-# For example "http_proxy=internal.proxy.company.com".
-# Note these environment variables will not be used within the container.
-# Set the env section under [containers] table, if you want to set environment variables for the container.
+# Environment variables to be used when running the container engine (e.g.,
+# Podman, Buildah). For example "MYVAR=value". These environment variables
+# will not be used within the container. Set the env section under the
+# [containers] table, if you want to set environment variables for the
+# container.
+# Note when using this to set http proxy variables then they might get
+# leaked into the container depending on if `http_proxy` (under the
+# [containers] table) is set to to true (default) or false.
 #
 #env = []
 
diff --git a/vendor/go.podman.io/common/pkg/config/containers.conf-freebsd b/vendor/go.podman.io/common/pkg/config/containers.conf-freebsd
index bd999c339c9..6a8163066e7 100644
--- a/vendor/go.podman.io/common/pkg/config/containers.conf-freebsd
+++ b/vendor/go.podman.io/common/pkg/config/containers.conf-freebsd
@@ -169,12 +169,12 @@ default_sysctls = [
 #
 #log_driver = "k8s-file"
 
-# Default path for container logs to be stored in. When empty, logs will be stored 
+# Default path for container logs to be stored in. When empty, logs will be stored
 # in the container's default storage and removed when the container is removed.
-# A subdirectory named with the container ID will be created under the specified 
+# A subdirectory named with the container ID will be created under the specified
 # path, and the log file will have the default name `ctr.log` within that directory.
 # This option can be overridden by the `--log-opt` flag.
-# 
+#
 #log_path = ""
 
 # Maximum size allowed for the container log file. Negative numbers indicate
@@ -393,10 +393,14 @@ default_sysctls = [
 #
 #enable_port_reservation = true
 
-# Environment variables to be used when running the container engine (e.g., Podman, Buildah).
-# For example "http_proxy=internal.proxy.company.com".
-# Note these environment variables will not be used within the container.
-# Set the env section under [containers] table, if you want to set environment variables for the container.
+# Environment variables to be used when running the container engine (e.g.,
+# Podman, Buildah). For example "MYVAR=value". These environment variables
+# will not be used within the container. Set the env section under the
+# [containers] table, if you want to set environment variables for the
+# container.
+# Note when using this to set http proxy variables then they might get
+# leaked into the container depending on if `http_proxy` (under the
+# [containers] table) is set to to true (default) or false.
 #
 #env = []
 
diff --git a/vendor/go.podman.io/image/v5/internal/image/digest_validation.go b/vendor/go.podman.io/image/v5/internal/image/digest_validation.go
new file mode 100644
index 00000000000..88a870ac347
--- /dev/null
+++ b/vendor/go.podman.io/image/v5/internal/image/digest_validation.go
@@ -0,0 +1,26 @@
+package image
+
+import (
+	"fmt"
+
+	"github.com/opencontainers/go-digest"
+)
+
+func validateBlobAgainstDigest(blob []byte, expectedDigest digest.Digest) error {
+	if expectedDigest == "" {
+		return fmt.Errorf("expected digest is empty")
+	}
+	err := expectedDigest.Validate()
+	if err != nil {
+		return fmt.Errorf("invalid digest format %q: %w", expectedDigest, err)
+	}
+	digestAlgorithm := expectedDigest.Algorithm()
+	if !digestAlgorithm.Available() {
+		return fmt.Errorf("unsupported digest algorithm: %s", digestAlgorithm)
+	}
+	computedDigest := digestAlgorithm.FromBytes(blob)
+	if computedDigest != expectedDigest {
+		return fmt.Errorf("blob digest %s does not match expected %s", computedDigest, expectedDigest)
+	}
+	return nil
+}
diff --git a/vendor/go.podman.io/image/v5/internal/image/docker_schema2.go b/vendor/go.podman.io/image/v5/internal/image/docker_schema2.go
index 1586d67900e..b40f4fc71e1 100644
--- a/vendor/go.podman.io/image/v5/internal/image/docker_schema2.go
+++ b/vendor/go.podman.io/image/v5/internal/image/docker_schema2.go
@@ -110,9 +110,8 @@ func (m *manifestSchema2) ConfigBlob(ctx context.Context) ([]byte, error) {
 		if err != nil {
 			return nil, err
 		}
-		computedDigest := digest.FromBytes(blob)
-		if computedDigest != m.m.ConfigDescriptor.Digest {
-			return nil, fmt.Errorf("Download config.json digest %s does not match expected %s", computedDigest, m.m.ConfigDescriptor.Digest)
+		if err := validateBlobAgainstDigest(blob, m.m.ConfigDescriptor.Digest); err != nil {
+			return nil, fmt.Errorf("config validation failed: %w", err)
 		}
 		m.configBlob = blob
 	}
diff --git a/vendor/go.podman.io/image/v5/internal/image/oci.go b/vendor/go.podman.io/image/v5/internal/image/oci.go
index 56a1a6d64e1..8ddb2875e0f 100644
--- a/vendor/go.podman.io/image/v5/internal/image/oci.go
+++ b/vendor/go.podman.io/image/v5/internal/image/oci.go
@@ -8,7 +8,6 @@ import (
 	"slices"
 
 	ociencspec "github.com/containers/ocicrypt/spec"
-	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"go.podman.io/image/v5/docker/reference"
 	"go.podman.io/image/v5/internal/iolimits"
@@ -74,9 +73,8 @@ func (m *manifestOCI1) ConfigBlob(ctx context.Context) ([]byte, error) {
 		if err != nil {
 			return nil, err
 		}
-		computedDigest := digest.FromBytes(blob)
-		if computedDigest != m.m.Config.Digest {
-			return nil, fmt.Errorf("Download config.json digest %s does not match expected %s", computedDigest, m.m.Config.Digest)
+		if err := validateBlobAgainstDigest(blob, m.m.Config.Digest); err != nil {
+			return nil, fmt.Errorf("config validation failed: %w", err)
 		}
 		m.configBlob = blob
 	}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 726a27e6637..a5dd5c70555 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -510,7 +510,7 @@ go.opentelemetry.io/otel/trace
 go.opentelemetry.io/otel/trace/embedded
 go.opentelemetry.io/otel/trace/internal/telemetry
 go.opentelemetry.io/otel/trace/noop
-# go.podman.io/common v0.66.1-0.20251120131032-23712697ddda
+# go.podman.io/common v0.66.1-0.20251120131032-23712697ddda => github.com/lsm5/container-libs/common v0.0.0-20251123192254-a762705ceceb
 ## explicit; go 1.24.2
 go.podman.io/common/internal
 go.podman.io/common/internal/attributedstring
@@ -564,7 +564,7 @@ go.podman.io/common/pkg/umask
 go.podman.io/common/pkg/util
 go.podman.io/common/pkg/version
 go.podman.io/common/version
-# go.podman.io/image/v5 v5.38.1-0.20251120131032-23712697ddda
+# go.podman.io/image/v5 v5.38.1-0.20251120131032-23712697ddda => github.com/lsm5/container-libs/image/v5 v5.0.0-20251123192254-a762705ceceb
 ## explicit; go 1.24.0
 go.podman.io/image/v5/copy
 go.podman.io/image/v5/directory
@@ -632,7 +632,7 @@ go.podman.io/image/v5/transports
 go.podman.io/image/v5/transports/alltransports
 go.podman.io/image/v5/types
 go.podman.io/image/v5/version
-# go.podman.io/storage v1.61.1-0.20251120131032-23712697ddda
+# go.podman.io/storage v1.61.1-0.20251120131032-23712697ddda => github.com/lsm5/container-libs/storage v0.0.0-20251123192254-a762705ceceb
 ## explicit; go 1.24.0
 go.podman.io/storage
 go.podman.io/storage/drivers
@@ -872,3 +872,6 @@ tags.cncf.io/container-device-interface/pkg/parser
 # tags.cncf.io/container-device-interface/specs-go v1.0.1-0.20251120202831-139ffec09210
 ## explicit; go 1.19
 tags.cncf.io/container-device-interface/specs-go
+# go.podman.io/common => github.com/lsm5/container-libs/common v0.0.0-20251123192254-a762705ceceb
+# go.podman.io/storage => github.com/lsm5/container-libs/storage v0.0.0-20251123192254-a762705ceceb
+# go.podman.io/image/v5 => github.com/lsm5/container-libs/image/v5 v5.0.0-20251123192254-a762705ceceb