diff --git a/go.mod b/go.mod
index e32437696..92d30a09b 100644
--- a/go.mod
+++ b/go.mod
@@ -141,3 +141,5 @@ require (
 	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/ini.v1 v1.63.2 // indirect
 )
+
+replace github.com/docker/distribution => github.com/distribution/distribution v2.8.3+incompatible
diff --git a/pkg/helpers/docker/docker.go b/pkg/helpers/docker/docker.go
index 705cce41e..562792c17 100644
--- a/pkg/helpers/docker/docker.go
+++ b/pkg/helpers/docker/docker.go
@@ -16,6 +16,7 @@
 package docker
 
 import (
+	"archive/tar"
 	"context"
 	"encoding/hex"
 	"net/http"
@@ -31,8 +32,8 @@ import (
 
 	fileHelper "github.com/mudler/luet/pkg/helpers/file"
 
+	"github.com/distribution/reference"
 	"github.com/docker/cli/cli/trust"
-	"github.com/docker/distribution/reference"
 	registrytypes "github.com/docker/docker/api/types/registry"
 	"github.com/docker/docker/registry"
 	"github.com/google/go-containerregistry/pkg/authn"
@@ -137,6 +138,15 @@ type UnpackEventData struct {
 	Dest  string
 }
 
+func setUIDGID(h *tar.Header) (bool, error) {
+	// Set the desired UID and GID
+	h.Uid = os.Getuid()
+	h.Gid = os.Getgid()
+
+	// Return true to indicate that this header should be included in the extraction
+	return true, nil
+}
+
 // DownloadAndExtractDockerImage extracts a container image natively. It supports privileged/unprivileged mode
 func DownloadAndExtractDockerImage(ctx luettypes.Context, image, dest string, auth *registrytypes.AuthConfig, verify bool) (*images.Image, error) {
 	if verify {
@@ -185,7 +195,7 @@ func DownloadAndExtractDockerImage(ctx luettypes.Context, image, dest string, au
 		ctx,
 		img,
 		dest,
-		nil,
+		setUIDGID,
 	)
 	if err != nil {
 		return nil, err
@@ -249,7 +259,7 @@ func ExtractDockerImage(ctx luettypes.Context, local, dest string) (*images.Imag
 		ctx,
 		img,
 		dest,
-		nil,
+		setUIDGID,
 	)
 
 	if err != nil {