docker-credential-helpers
docker-credential-helpers copied to clipboard
docker
Recreating osx keychain key
I am not sure if this is actual issue with docker-credential-osxkeychain or rather a way security works on OSX but let me explain what's going on.
On OSX I can manually create Docker Credentials entry in keychain before running Docker for Mac by simply running security like this:
security add-internet-password -a dockerHubUser -l "Docker Credentials" -r htps -s "index.docker.io" -p "/v1/" -w 1234567890 -T "/Applications/Docker.app/Contents/Resources/bin/docker-credential-osxkeychain.bin" -c "aapl"
I'd expect once I start Docker for Mac after the key's been created not to receive a popup saying that
docker-credential-osxkeychain wants to access key "Docker Credentials" in your keychain. Do you want to allow access to this item?
but rather to just acquire what's set in the key in order to automatically log me in my docker hub account. Because once I allow the access, I am being logged in automatically and everything works.
I'd assume this has something to do with how OSX sets the keys in the keychain and that by manually creating it I miss out on setting some important part. I have tried playing around with dumping keys and comparing them but had no luck with finding any differences. One thing that might be missing is a specific code signature of either Docker for Mac or osxkeychain helper that should be set via security set-internet-password-partition-list but even tho I've tried that one as well, I must say I did not manage to make it to work.
While manually creating the entry in keychain, I've granted some more apps the right to access the key by specifying more -T options to security command and once I'd run Docker for Mac the same popup would appear and after I'd allow the access, Docker would automatically log me in my docker hub account, but by examining the Docker Credentials entry in a keychain I could see that all other apps (that I have previously specified by multiple -T options) were removed from the Access Control tab but docker-credential-osxkeychain.bin which was clear indication that it overwrites the entry so there must be something that I'm missing when manually creating the key.
Why I need this? I would like to automate installation of Docker for Mac via configuration management tools.
Sorry if this is offtopic and unrelated but I just hope someone might come up with some idea or even a suggestion on how to mitigate this behaviour.
EDIT: one more thing: once I allow the access to the manually created key and then quit and start Docker for Mac again, it works as expected, without prompting me for anything.
Solved it by executing:
security set-internet-password-partition-list -S apple-tool:,apple:,teamid:9BNSXJN65R -k ${KEYCHAIN_PASSWD} -l ${LABEL}
Key thing is adding teamid as well.
May be closed.