brew
brew copied to clipboard
Homebrew
Docker registry token defaults to "A"
brew doctor output
bash-3.2$ brew doctor
Your system is ready to brew.
Verification
- [X] My "
brew doctoroutput" above saysYour system is ready to brew.and am still able to reproduce my issue. - [X] I ran
brew updatetwice and am still able to reproduce my issue. - [X] This issue's title and/or description do not reference a single formula e.g.
brew install wget. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.
brew config output
bash-3.2$ brew config
HOMEBREW_VERSION: >=4.1.0 (shallow or no git repository)
ORIGIN: (none)
HEAD: (none)
Last commit: never
Core tap JSON: 14 Feb 20:32 UTC
Core cask tap JSON: 14 Feb 20:33 UTC
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_ARTIFACT_DOMAIN: https://myrepository.com/artifactory/homebrew-remote
HOMEBREW_CASK_OPTS: []
HOMEBREW_MAKE_JOBS: 8
HOMEBREW_NO_AUTO_UPDATE: set
Homebrew Ruby: 3.1.4 => /opt/homebrew/Library/Homebrew/vendor/portable-ruby/3.1.4/bin/ruby
CPU: octa-core 64-bit arm_firestorm_icestorm
Clang: 15.0.0 build 1500
Git: 2.43.2 => /opt/homebrew/bin/git
Curl: 8.1.2 => /usr/bin/curl
macOS: 13.6-arm64
CLT: 15.1.0.0.1.1700200546
Xcode: 15.2
Rosetta 2: false
What were you trying to do (and why)?
Connect to a private repository using anonymous access
What happened (include all command output)?
The default Authorization: Bearer token sent is QQ== ("A"). As a result anonymous access fails.
bash-3.2$ brew install openjdk@17 --verbose ==> Downloading https://myrepository.com/artifactory/homebrew-remote/v2/homebrew/core/openjdk/17/manifests/17.0.9 Already downloaded: /Users/homebrew/Library/Caches/Homebrew/downloads/6274f55d293c4208920a5d52b3b06d4a9dedb0e7139b671f4f66fada2abbc486--openjdk@17-17.0.9.bottle_manifest.json ==> Fetching openjdk@17 ==> Downloading https://myrepository.com/artifactory/homebrew-remote/v2/homebrew/core/openjdk/17/blobs/sha256:41eda5749bf9032865a1168a0306a5b089f3098433dc1b95eebe82bedb98f023 /usr/bin/env /opt/homebrew/Library/Homebrew/shims/shared/curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/4.X.Y\ (Macintosh;\ arm64\ Mac\ OS\ X\ 13.6)\ curl/8.1.2 --header Accept-Language:\ en --fail --retry 3 --header Authorization:\ Bearer\ QQ== --remote-time --output /Users/homebrew/Library/Caches/Homebrew/downloads/0979b1d425479e75863f78205c409052fa471b62c25cf53cdb97a96be46c5152--openjdk@17--17.0.9.arm64_ventura.bottle.tar.gz.incomplete --location https://myrepository.com/artifactory/homebrew-remote/v2/homebrew/core/openjdk/17/blobs/sha256:41eda5749bf9032865a1168a0306a5b089f3098433dc1b95eebe82bedb98f023 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 101 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (22) The requested URL returned error: 401 Error: openjdk@17: Failed to download resource "openjdk@17" Download failed: https://myrepository.com/artifactory/homebrew-remote/v2/homebrew/core/openjdk/17/blobs/sha256:41eda5749bf9032865a1168a0306a5b089f3098433dc1b95eebe82bedb98f023
What did you expect to happen?
The request does not attempt to send an auth header because there is no token setup. Why is the default token "A"?
Step-by-step reproduction instructions (by running brew commands)
1. Configure brew to use a private repository using HOMEBREW_ARTIFACT_DOMAIN
2. Attempt to install a package
3. The install fails since an invalid auth header is sent
Why is the default token "A"?
Because GitHub Packages is the default registry and it requires an authentication header (even though the value is bogus).
It can be customised with HOMEBREW_DOCKER_REGISTRY_TOKEN however (or HOMEBREW_DOCKER_REGISTRY_BASIC_AUTH_TOKEN for Basic auth instead of Bearer)
Unfortunately it seems those environment variables are not respected if set to nothing:
bash-3.2$ export HOMEBREW_DOCKER_REGISTRY_TOKEN= bash-3.2$ export HOMEBREW_DOCKER_REGISTRY_BASIC_AUTH_TOKEN=
bash-3.2$ env | sort . . . HOME=/Users/homebrew HOMEBREW_DOCKER_REGISTRY_BASIC_AUTH_TOKEN= HOMEBREW_DOCKER_REGISTRY_TOKEN= . . .
bash-3.2$ brew install openjdk@17 --verbose ==> Downloading https://myrepository.com/artifactory/homebrew-remote/v2/homebrew/core/openjdk/17/manifests/17.0.9 /usr/bin/env /opt/homebrew/Library/Homebrew/shims/shared/curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/4.X.Y\ (Macintosh;\ arm64\ Mac\ OS\ X\ 13.6)\ curl/8.1.2 --header Accept-Language:\ en --fail --retry 3 --header Accept:\ application/vnd.oci.image.index.v1+json --header Authorization:\ Bearer\ QQ== --remote-time --output /Users/homebrew/Library/Caches/Homebrew/downloads/6274f55d293c4208920a5d52b3b06d4a9dedb0e7139b671f4f66fada2abbc486--openjdk@17-17.0.9.bottle_manifest.json.incomplete --location https://myrepository.com/artifactory/homebrew-remote/v2/homebrew/core/openjdk/17/manifests/17.0.9 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 101 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (22) The requested URL returned error: 401
Unfortunately it seems those environment variables are not respected if set to nothing:
Correct.
To ensure we've understood correctly: you have a private Artifactory but it does not have any authentication?
There is authentication but we allow anonymous access on repository mirrors (remote repositories) on our private Artifactory instance. Hence homebrew-remote which mirrors ghcr.io does not require authentication.
We could create an account for homebrew access but I'd prefer not to as that creates additional overhead for password/token rotation.
A potential quick fix for this might be to set HOMEBREW_GITHUB_PACKAGES_AUTH="Bearer QQ==" only when both:
-
HOMEBREW_ARTIFACT_DOMAINisn't set -
HOMEBREW_BOTTLE_DOMAINisn't OR is set to the default (https://ghcr.io/v2/homebrew/corerespectively)
https://github.com/Homebrew/brew/blob/a570e4da19131eb9e7263f392e863cbaf3325884/Library/Homebrew/brew.sh#L955-L963
One blind spot: Is sending QQ== something unique to ghcr.io, or does any Docker registry require a token and the clients just know to use this Base64'd A if otherwise unset?
