Closed MarkRx closed 6 days ago
Why is the default token "A"?
Because GitHub Packages is the default registry and it requires an authentication header (even though the value is bogus).
It can be customised with HOMEBREW_DOCKER_REGISTRY_TOKEN
however (or HOMEBREW_DOCKER_REGISTRY_BASIC_AUTH_TOKEN
for Basic auth instead of Bearer)
Unfortunately it seems those environment variables are not respected if set to nothing:
bash-3.2$ export HOMEBREW_DOCKER_REGISTRY_TOKEN= bash-3.2$ export HOMEBREW_DOCKER_REGISTRY_BASIC_AUTH_TOKEN=
bash-3.2$ env | sort . . . HOME=/Users/homebrew HOMEBREW_DOCKER_REGISTRY_BASIC_AUTH_TOKEN= HOMEBREW_DOCKER_REGISTRY_TOKEN= . . .
bash-3.2$ brew install openjdk@17 --verbose ==> Downloading https://myrepository.com/artifactory/homebrew-remote/v2/homebrew/core/openjdk/17/manifests/17.0.9 /usr/bin/env /opt/homebrew/Library/Homebrew/shims/shared/curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/4.X.Y\ (Macintosh\;\ arm64\ Mac\ OS\ X\ 13.6)\ curl/8.1.2 --header Accept-Language:\ en --fail --retry 3 --header Accept:\ application/vnd.oci.image.index.v1+json --header Authorization:\ Bearer\ QQ== --remote-time --output /Users/homebrew/Library/Caches/Homebrew/downloads/6274f55d293c4208920a5d52b3b06d4a9dedb0e7139b671f4f66fada2abbc486--openjdk@17-17.0.9.bottle_manifest.json.incomplete --location https://myrepository.com/artifactory/homebrew-remote/v2/homebrew/core/openjdk/17/manifests/17.0.9 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 101 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (22) The requested URL returned error: 401
Unfortunately it seems those environment variables are not respected if set to nothing:
Correct.
To ensure we've understood correctly: you have a private Artifactory but it does not have any authentication?
There is authentication but we allow anonymous access on repository mirrors (remote repositories) on our private Artifactory instance. Hence homebrew-remote which mirrors ghcr.io does not require authentication.
We could create an account for homebrew access but I'd prefer not to as that creates additional overhead for password/token rotation.
We'll review a PR to fix this.
A potential quick fix for this might be to set HOMEBREW_GITHUB_PACKAGES_AUTH="Bearer QQ=="
only when both:
HOMEBREW_ARTIFACT_DOMAIN
isn't setHOMEBREW_BOTTLE_DOMAIN
isn't OR is set to the default (https://ghcr.io/v2/homebrew/core
respectively)One blind spot: Is sending QQ==
something unique to ghcr.io, or does any Docker registry require a token and the clients just know to use this Base64'd A
if otherwise unset?
Is sending
QQ==
something unique to ghcr.io
I think this is the case.
A potential quick fix
@colindean can you open a PR? Thanks.
Passing on this for now in favour of a PR.
@MikeMcQuaid do you have a link to the PR?
I think he means someone should raise a PR, not that one already exists.
Exactly, thanks @gromgit.
If that's the case why close this? It's still an issue.
@MarkRx It's unclear anyone cares about it except you. Homebrew has tens of millions of users and we can't keep them all open indefinitely or our issue tracker becomes unusable, sorry. We will happily review a PR if you create one to fix your own problem.
brew doctor
outputVerification
brew doctor
output" above saysYour system is ready to brew.
and am still able to reproduce my issue.brew update
twice and am still able to reproduce my issue.brew install wget
. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.brew config
outputWhat were you trying to do (and why)?
Connect to a private repository using anonymous access
What happened (include all command output)?
The default Authorization: Bearer token sent is QQ== ("A"). As a result anonymous access fails.
What did you expect to happen?
The request does not attempt to send an auth header because there is no token setup. Why is the default token "A"?
Step-by-step reproduction instructions (by running
brew
commands)