Notation CLI fails to login because of the missing credentials store

Question

Notation CLI fails to login because of the missing credentials store

haoliangyu opened this issue 3 months ago · comments

I am trying to use the setup action to install Notation CLI in a workflow to sing images in ECR. The workflow would look like this

name: test-image-signing

on:
  push:
    branches:
      - main
jobs:
  test:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - name: setup Notation CLI
        uses: notaryproject/notation-action/setup@v1
        with:
          version: "1.1.0"
      - name: Setup AWS access
        uses: test-org/a-custom-action@main
        with:
          environment: test
      - name: Sign
        shell: bash
        run: |
          region=us-east-1
          ecr_url=123456789.dkr.ecr.$region.amazonaws.com

          # this is successful
          aws ecr get-login-password --region $region | docker login --username AWS --password-stdin $ecr_url

          # this is NOT successful
          aws ecr get-login-password --region $region | notation login --username AWS --password-stdin $ecr_url

I am trying to use the Notation CLI directly in bash, instead of using the sing action, to sign images because our actual push-and-sign logic is a bit complex. However, when it tries to run the notation login command, it fails with the message

Error: failed to log in to 123456789.dkr.ecr.us-east-1.amazonaws.com: the credential could not be saved because a credentials store is required to securely store the password. See https://notaryproject.dev/docs/how-to/registry-authentication/

Note that the docker login does succeed and I can verify that the docker configuration exists at ~/.docker/config.json. According to the notation documentation, it should resolve either the notation configuration or docker configuration. But it does not.

I am not sure if it is a problem with the action or the Notation CLI itself. If this is not the appropriate place to ask, this issue can be moved.

Haoliang Yu · Answer 1 · Wed Feb 14 2024 00:12:35 GMT+0800 (China Standard Time)

I figure out that the notation login is not necessary if the docker login is already done. So the authentication issue is addressed, though I am still not clear on why notation login will throw a credentials store error in this case.

Yi Zha · Answer 2 · Sun Feb 18 2024 09:18:46 GMT+0800 (China Standard Time)

Thanks @haoliangyu for reporting this issue. As you figured out, notation login was not necessary if users authenticated with docker login . notation login requires a credential store to save the credentials securely. However, if there is no credential store installed, docker login can save the password with base64 encoding in config file. See https://docs.docker.com/engine/reference/commandline/login/#default-behavior. notation login does not support this behavior as it is not secure. We recommend using credential store to manage your credentials securely. I will review the notation authentication related document to see any improvements on authentication.