pullImageFromManifest does not use Skopeo auth

[remi-gelinas]

I'm trying to use nix2container to set up builds based on a base image from a private ECR repository. pullImage works fine as it uses the passthrough /etc/skopeo/auth.json sandbox path, but pullImageFromManifest doesn't seem to leverage skopeo anywhere in the build, and therefore can't authenticate to our repo. Considering the manifest doesn't have any auth tokens in it, I'm unclear as to how one is supposed to provide authentication for a registry using pullImageFromManifest.

Inconsistently, the generated getManifest script to update manifests from an image generated by pullImageFromManifest DOES use Skopeo, and has no problem authenticating to the registry.

The docs make it seem like the auth sandbox passthrough should work for both versions of image pulling, but as far as I can tell, only pullImage picks up the correct auth.

Is this intentional? Is there another undocumented method to provide auth info to pullImageFromManifest?