Docker-credential-pass broken on `dist: xenial`


#1

As commented in travis-ci/travis-ci#9495, the following script works on a default travis job with the following config:

os: linux
services: docker
language: minimal
install: skip
addons:
  apt:
    packages:
      - pass
curl -fsSL "https://github.com/docker/docker-credential-helpers/releases/download/v0.6.0/docker-credential-pass-v0.6.0-amd64.tar.gz" | tar xv
chmod + $(pwd)/docker-credential-pass

gpg --batch --gen-key <<-EOF ; pass init $(gpg --no-auto-check-trustdb --list-secret-keys | grep ^sec | cut -d/ -f2 | cut -d" " -f1)
%echo Generating a standard key
Key-Type: DSA
Key-Length: 1024
Subkey-Type: ELG-E
Subkey-Length: 1024
Name-Real: Meshuggah Rocks
Name-Email: meshuggah@example.com
Expire-Date: 0
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
EOF

echo "$DOCKER_PASS" | docker login -u "$DOCKER_USER" --password-stdin

This is the output:

gpg: Generating a standard key
+++++.+++++++++++++++.++++++++++++++++++++++++++++++++++++++++.+++++++++++++++.+++++++++++++++++++++++++.++++++++++.+++++.+++++++++++++++>.+++++..+++++........+++++
++++++++++++++++++++..+++++.+++++++++++++++++++++++++++++++++++++++++++++++++++++++..+++++...+++++.+++++.+++++.+++++++++++++++..+++++++++++++++........>+++++.........+++++^^^
gpg: key 02283F1E marked as ultimately trusted
gpg: done
gpg: please do a --check-trustdb
mkdir: created directory ‘/home/travis/.password-store’
Password store initialized for 02283F1E.
Login Succeeded

However, if dist: xenial is added to the configuration, docker-credential-pass no longer uses pass, as shown in this log:

gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: Generating a standard key
+++++++++++++++++++++++++.+++++.+++++++++++++++.++++++++++.++++++++++.++++++++++.++++++++++.+++++.+++++.++++++++++++++++++++++++++++++++++++++++..>.+++++...+++++
.++++++++++.+++++++++++++++.+++++++++++++++++++++++++++++++++++..++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>+++++>+++++............<+++++...........>+++++.+++++^^^
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 5E70B819 marked as ultimately trusted
gpg: done
gpg: please do a --check-trustdb
mkdir: created directory '/root/.password-store/'
Password store initialized for 5E70B819
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded

So, it seems pointless to use pass and docker-credential-pass on dist:xenial. Furthermore, compared to dist:trusty, no error is shown, but is does not work. Therefore, it is an annoying regression for users that are updating the dist.

cc @teohhanhui @BanzaiMan


#2

I’m sorry, but I don’t understand what you are stating here. The command indicates that it succeeded in logging in.


#3

The problem is not to login successfully. That is always achieved. This issue is about how is the password stored on the host. Please, have a look at the last five lines of the log in dist:xenial. You will see:

Password store initialized for 5E70B819
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

in contrast to the following in dist:trusty:

Password store initialized for 02283F1E.
Login Succeeded

This means that, even if the password store is initialized (pass), docker login is not using it in xenial. So, it is pointless ATM to install pass and docker-credential-pass, because the motivation to do so was to get rid of the warning.

In other words, these two scripts produce exactly the same result on xenial, but a different one on trusty:

curl -fsSL "https://github.com/docker/docker-credential-helpers/releases/download/v0.6.0/docker-credential-pass-v0.6.0-amd64.tar.gz" | tar xv
chmod + $(pwd)/docker-credential-pass

gpg --batch --gen-key <<-EOF ; pass init $(gpg --no-auto-check-trustdb --list-secret-keys | grep ^sec | cut -d/ -f2 | cut -d" " -f1)
...
EOF

echo "$DOCKER_PASS" | docker login -u "$DOCKER_USER" --password-stdin
echo "$DOCKER_PASS" | docker login -u "$DOCKER_USER" --password-stdin

#4

@BanzaiMan I just set up a repo to ilustrate this:

where

  1. Trusty, no pass/docker-credential pass. No warning.
  2. Trusty, with pass/docker-credential pass. No warning.
  3. Xenial, no pass/docker-credential pass. Warning (expected).
  4. Xenial, with pass/docker-credential pass. Warning (NOT expected). The result seems to be the same as 3. and it should not.

#5

Note that the warning comes from the docker command itself.

The docker versions are different on Trusty (17.09.0-ce) and Xenial (18.06.0-ce), and this probably explains why you see the warning. If you update docker on Trusty, I suspect you would see the same warning.


#6

Then, regarding this comment, should the method be suggested for trusty only or not suggested at all?