diff --git a/manifest/rfc2822.go b/manifest/rfc2822.go
index cabbd53..8d885d2 100644
--- a/manifest/rfc2822.go
+++ b/manifest/rfc2822.go
@@ -18,6 +18,9 @@ import (
 var (
 	GitCommitRegex = regexp.MustCompile(`^[0-9a-f]{1,64}$`)
 	GitFetchRegex  = regexp.MustCompile(`^refs/(heads|tags)/[^*?:]+$`)
+
+	// https://github.com/docker/distribution/blob/v2.7.1/reference/regexp.go#L37
+	ValidTagRegex = regexp.MustCompile(`^\w[\w.-]{0,127}$`)
 )
 
 type Manifest2822 struct {
@@ -395,6 +398,9 @@ func (manifest *Manifest2822) AddEntry(entry Manifest2822Entry) error {
 	entry.DeduplicateSharedTags()
 	entry.CleanDirectoryValues()
 
+	if invalidTags := entry.InvalidTags(); len(invalidTags) > 0 {
+		return fmt.Errorf("Tags %q has invalid (Shared)Tags: %q", entry.TagsString(), strings.Join(invalidTags, ", "))
+	}
 	if invalidArchitectures := entry.InvalidArchitectures(); len(invalidArchitectures) > 0 {
 		return fmt.Errorf("Tags %q has invalid Architectures: %q", entry.TagsString(), strings.Join(invalidArchitectures, ", "))
 	}
@@ -458,6 +464,16 @@ func (entry Manifest2822Entry) InvalidMaintainers() []string {
 	return invalid
 }
 
+func (entry Manifest2822Entry) InvalidTags() []string {
+	invalid := []string{}
+	for _, tag := range append(append([]string{}, entry.Tags...), entry.SharedTags...) {
+		if !ValidTagRegex.MatchString(tag) {
+			invalid = append(invalid, tag)
+		}
+	}
+	return invalid
+}
+
 func (entry Manifest2822Entry) InvalidArchitectures() []string {
 	invalid := []string{}
 	for _, arch := range entry.Architectures {