search

docker / docker-credential-helpers

Programs to keep Docker login credentials safe by storing in platform keystores
MIT License
1.06k stars 169 forks source link

docker build triggers useless gpg passphrase dialog #250

Open user706 opened 1 year ago

user706 commented 1 year ago

I'm on linux (working with docker engine). I started fiddling with docker-credential-pass in order to be able to do this:

aws ecr-public get-login-password --region us-east-1 --profile myprofile \
         | docker login --username AWS --password-stdin public.ecr.aws/z7f783hdj

ok that's now working. but...

Problem

Now everytime I do

docker build --progress=plain `#--no-cache` -t=myimage -f Dockerfile_great .

I first get a useless gpg diaglog window asking for my passphrase:

Passphrase
Please enter the passphrase to unlock the OpenPGP secret key

I just hit Cancel and then (and only then) the actual build starts.

How do I get rid of this useless dialog. Why is it coming??

My details:

# cat ~/.docker/config.json       # shows
{
    "auths": {
        "public.ecr.aws": {}
    },
    "credsStore": "desktop",
    "credHelpers": {
        "public.ecr.aws/z7f783hdj": "pass"
    }
}

Thanks for tipps and suggestions.

user706 commented 1 year ago

ok, to analyze the situation, I replaced both these tools...

echo "$@" | tee -a /home/hero/args.txt cat - | tee -a /home/hero/stdin.txt

and then ran `docker build -t im_test .`

The result is:

`/usr/bin/credential-helper-pass` gets called with:
* args: `list`
* stdin: `unused`

`/usr/bin/gpg`gets called with:
* args: `-d --quiet --yes --compress-algo=none --no-encrypt-to /home/albert/.password-store/docker-credential-helpers/cHVblablabla=/AWS.gpg`
* stdin: (nothing)

And sure enough (once I put back the original tools) and run:
```bash
gpg -d --quiet --yes --compress-algo=none --no-encrypt-to /home/albert/.password-store/docker-credential-helpers/cHVblablabla=/AWS.gpg

I get the same dialog, asking for the passphrase.

Why is gpg with those arguments during docker build? Thanks.

PS: if I call pass I get

Password Store
└── docker-credential-helpers
    └── cHVblablabla=
        └── AWS

(Should the pass gpg key used for docker-credential-helpers... not have a passphrase????)

user706 commented 1 year ago

Why is a normal docker build asking for my aws credential????

By the way: I now did docker logout.

It shows:

Removing login credentials for https://index.docker.io/v1/
WARNING: could not erase credentials:
https://index.docker.io/v1/: error erasing credentials - err: exit status 1, out: `exit status 1: Error: docker-credential-helpers/aHR0cHM6blablablablablaIuaW8vdjEv is not in the password store.`

I think aHR0cHM6blablablablablaIuaW8vdjEv is referring to a gpg key-id in the password store.

Well I recently deleted ~/.password-store/ because I wanted to start afresh. Maybe that's what's causing the problem.

How can I go about fixing it?

user706 commented 1 year ago

I've now done docker logout registry... and it returned

Removing login credentials for registry

and now (magically)

docker build works without calling the gpg dialog. Perfect.

But: What's going on exacly? (Any pointers to good documentation, to help me understand whats going on?) Thank you.