docker-credential-oskeychain 0.7.0 get fails to retrieve records

[ericpromislow]

I've upgraded to version 0.7.0 of d-c-osxkeychain and can no longer retrieve records:

$ $A/docker-credential-osxkeychain version
0.6.4
$ $B/docker-credential-osxkeychain version
docker-credential-osxkeychain (github.com/docker/docker-credential-helpers) v0.7.0

$ for x in $($A/docker-credential-osxkeychain list | jq -r . | grep https | sed -e 's/ "//' -e 's/":.*//') ; do echo $x | tee /dev/tty | $A/docker-credential-osxkeychain get | cut -b 1-100; done
https://bobs.fish/bait
{"ServerURL":"https://bobs.fish/bait","Username":"bob","Secret":"cat"}
https://bobs.fish/clams
{"ServerURL":"https://bobs.fish/clams","Username":"bob","Secret":"dog"}
https://cals.nightcrawlers.com/guaranteed
{"ServerURL":"https://cals.nightcrawlers.com/guaranteed","Username":"cal","Secret":"cow"}

$ for x in $($B/docker-credential-osxkeychain list | jq -r . | grep https | sed -e 's/ "//' -e 's/":.*//') ; do echo $x | tee /dev/tty | $B/docker-credential-osxkeychain get | cut -b 1-100; done
https://bobs.fish/bait
The user name or passphrase you entered is not correct.
https://bobs.fish/clams
The user name or passphrase you entered is not correct.
https://cals.nightcrawlers.com/guaranteed
The user name or passphrase you entered is not correct.

One difference is that when I run 0.6.4 I sometimes get that dialog prompting me for the keychain password. With 0.7.0 I never do. Maybe that's why it's failing

[ghost]

I have the same issue and have ended up reverting to 0.6.4 would be interested to know if 0.7.0 is working for anyone.

[ericpromislow]

Upgraded my mac to 12.6.1 did not fix this issue.

But here's something I did notice: it does succeed at retrieving records with empty Secret fields.

I should also point that if I build 0.7.0 from source it works fine.

[thaJeztah]

@crazy-max could this be because the binaries on GitHub were not notarized?

[ericpromislow]

Well, there's some significant differences in the output for the two codesign outputs:

diff <(codesign -d --verbose=4 ./docker-credential-osxkeychain-v0.6.4) <(codesign -d --verbose=4 ./docker-credential-osxkeychain-v0.7.0)
...
< Identifier=docker-credential-osxkeychain
> Identifier=a.out
...
< CodeDirectory v=20500 size=22985 flags=0x10000(runtime) hashes=707+7 location=embedded
> CodeDirectory v=20400 size=14750 flags=0x2(adhoc) hashes=456+2 location=embedded
…
< Signature size=9001
Authority=Developer ID Application: Docker Inc (9BNSXJN65R)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
> Signature=adhoc
…
> TeamIdentifier=9BNSXJN65R
Runtime Version=11.1.0
Sealed Resources=none
Internal requirements count=1 size=192
< TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=0 size=12

I'm not an expert on macOS notarization, but it makes sense that it would account for the differences seen here.

[ericpromislow]

Turns out we notarize the binary for release. I was testing with a dev build all this time.

[jandubois]

@crazy-max could this be because the binaries on GitHub were not notarized?

It is because the binary has a broken ad-hoc signature; it is not related to notarization:

$ spctl -a docker-credential-osxkeychain
docker-credential-osxkeychain: invalid signature (code or signature have been modified)

$ echo https://index.docker.io/v1/ | docker-credential-osxkeychain get
The user name or passphrase you entered is not correct.

$ codesign --force --deep -s - docker-credential-osxkeychain
docker-credential-osxkeychain: replacing existing signature

$ echo https://index.docker.io/v1/ | docker-credential-osxkeychain get
{"ServerURL":"https://index.docker.io/v1/","Username":"jandubois","Secret":"[REDACTED]"}

$ spctl -a docker-credential-osxkeychain
docker-credential-osxkeychain: rejected

Note that 0.6.4 had a proper Docker signature; 0.7.0 and 0.8.0 have ad-hoc signature. I've only looked at the 0.8.0 one now, and it seems to be broken (see above). Replacing the signature with a new ad-hoc signature made it work properly, and the re-signed binary worked even on a different machine.

Only tested on Intel; not sure if M1 machine will reject non-local ad-hoc signatures.

[jandubois]

@ericpromislow I don't think you should have closed this issue; it has not been fixed (nor been rejected). Please re-open!

[pjcdawkins]

Hello, for the record I've also found this issue with version 0.8.1 (OS X amd64)

[cidrbl0ck]

Same problem here on Sonoma with docker-credential-osxkeychain 0.7.0