docker-credential-helpers icon indicating copy to clipboard operation
docker-credential-helpers copied to clipboard

Published 20 hours ago verified publisher icon docker

docker build triggers useless gpg passphrase dialog

Open user706 opened this issue 3 years ago • 3 comments

I'm on linux (working with docker engine). I started fiddling with docker-credential-pass in order to be able to do this:

aws ecr-public get-login-password --region us-east-1 --profile myprofile \
         | docker login --username AWS --password-stdin public.ecr.aws/z7f783hdj

ok that's now working. but...

Problem

Now everytime I do

docker build --progress=plain `#--no-cache` -t=myimage -f Dockerfile_great .

I first get a useless gpg diaglog window asking for my passphrase:

Passphrase
Please enter the passphrase to unlock the OpenPGP secret key

I just hit Cancel and then (and only then) the actual build starts.

How do I get rid of this useless dialog. Why is it coming??

My details:

# cat ~/.docker/config.json       # shows
{
	"auths": {
		"public.ecr.aws": {}
	},
	"credsStore": "desktop",
	"credHelpers": {
		"public.ecr.aws/z7f783hdj": "pass"
	}
}

Thanks for tipps and suggestions.

user706 avatar Nov 20 '22 00:11 user706

ok, to analyze the situation, I replaced both these tools...

  • /usr/bin/credential-helper-pass
  • /usr/bin/gpg ...with this script:
#!/usr/bin/env bash

echo "$@" | tee -a /home/hero/args.txt
cat -     | tee -a /home/hero/stdin.txt

and then ran docker build -t im_test .

The result is:

/usr/bin/credential-helper-pass gets called with:

  • args: list
  • stdin: unused

/usr/bin/gpggets called with:

  • args: -d --quiet --yes --compress-algo=none --no-encrypt-to /home/albert/.password-store/docker-credential-helpers/cHVblablabla=/AWS.gpg
  • stdin: (nothing)

And sure enough (once I put back the original tools) and run:

gpg -d --quiet --yes --compress-algo=none --no-encrypt-to /home/albert/.password-store/docker-credential-helpers/cHVblablabla=/AWS.gpg

I get the same dialog, asking for the passphrase.

Why is gpg with those arguments during docker build? Thanks.

PS: if I call pass I get

Password Store
└── docker-credential-helpers
    └── cHVblablabla=
        └── AWS

(Should the pass gpg key used for docker-credential-helpers... not have a passphrase????)

user706 avatar Nov 20 '22 10:11 user706

Why is a normal docker build asking for my aws credential????

By the way: I now did docker logout.

It shows:

Removing login credentials for https://index.docker.io/v1/
WARNING: could not erase credentials:
https://index.docker.io/v1/: error erasing credentials - err: exit status 1, out: `exit status 1: Error: docker-credential-helpers/aHR0cHM6blablablablablaIuaW8vdjEv is not in the password store.`

I think aHR0cHM6blablablablablaIuaW8vdjEv is referring to a gpg key-id in the password store.

Well I recently deleted ~/.password-store/ because I wanted to start afresh. Maybe that's what's causing the problem.

How can I go about fixing it?

user706 avatar Nov 20 '22 10:11 user706

I've now done docker logout registry... and it returned

Removing login credentials for registry

and now (magically)

docker build works without calling the gpg dialog. Perfect.

But: What's going on exacly? (Any pointers to good documentation, to help me understand whats going on?) Thank you.

user706 avatar Nov 20 '22 10:11 user706