desktop.exe credential store is not supported in WSL

[JeyJeyGao]

What is the areas you experience the issue in?

Notation CLI

What is not working as expected?

Docker Desktop was installed on Windows, but I cannot login by notation login command

What did you expect to happen?

I should login with notation login command successfully because I have installed the Docker Desktop with desktop.exe credential store.

Here is my docker config:

{
        "auths": {
        },
        "credsStore": "desktop.exe"
}

Here is the files under notation config directory:

$ ~/.config/notation

total 28K
drwx------ 2 jj jj 4.0K Mar 13 16:34 localkeys
-rw-r--r-- 1 jj jj  253 Jan 11 15:10 pluginkeys.json
drwxr-xr-x 5 jj jj 4.0K May 29 16:56 plugins
-rw------- 1 jj jj  440 May 26 13:43 signingkeys.json
-rw-r--r-- 1 jj jj  360 Dec 28 17:28 trustpolicy.json
drwx------ 3 jj jj 4.0K Mar 13 16:34 truststore

How can we reproduce it?

1. Install Docker Desktop on Windows
2. run notation login in WSL

Describe your environment

Windows 11 with WSL2 Ubuntu 22.04

What is the version of your Notation CLI or Notation Library?

Notation v1.0.0-rc.7

[shizhMSFT]

The current behavior is that for notation login, the oras-credentials-go library only takes look at the notation config for credential helper. If there is no credential helper, it will detect a default one even if the credential helper is set in the docker config.

The bug should be fixed at the oras-credentials-go side.

[Wwwsylvia]

Related issue on oras-credentials-go: oras-project/oras-credentials-go#71

[jimmyraywv]

So, I am confused about what the behavior should be. I would not expect a credential helper to react to an explicit notation login request. That is not why a credential helper is normally used. I would expect that:

• Login/Logout ops for Notation would not fallback to Docker settings, and would instead, use local configs
• Other ops (sign, verify, list) would fallback to the a Docker config or even system config for credentials.

Some credential helpers error when an explicit Login op is attempted and the credential helper is configured locally. This is seen in Notation and Docker.

Is that not the case? I just see Notation Login/Logout ops separate ops than signing/verifying/listing, with separate needs for credentials and helpers.

[yizha1]

Thanks @jimmyraywv

Notation login will use credentials-store to securely store the credentials if authenticated with registries successfully. The current order of detecting credentials store for all notatoin commands is Notation config -> Docker config -> OS default credentials store. This issue is a bug of notation login command, that it failed to detect the credentials store if it was not found in notation config. However, it works for notation sign/verify/list commands since these commands just read credentials if they exist.

From the requirement point of view,

• Notation should be able to authenticate with registries, and use credentials store to store the credentials securely, especially for the scenario that docker CLI is not installed in the system.
• If users have successfully authenticated with registries using docker commands, users can use notation sign/verify/list commands directly without the need to notation login

Hope this can answer your questions that why the behavior is different between different commands. It's a bug in notation login. IMO, notation login should follow the same order to detect the credentials store.

[iamsamirzon]

@yizha1 - A couple of more thoughts.

1. Is this bug present in both notation login and logout commands?
2. In what scenarios can users run into difficulties due to this bug? What is the mitigation?
3. Is this one of the scenarios where customers may encounter unexpected behavior ? Imagine that Notation users are using a common credential helper that is used by other CLI clients ( docker, oras, notation, etc) running on the same host, then what will users expect out of Notation - A login/logout in other clients should login/logout them out of Notation and vice-versa?
4. If we didn't have this bug, the would this statement be true for RC-7 - "When using a shared credential helper a login/logout in any of the clients sharing the same credential helper, will login/logout other clients"
5. What is a good summary description of Notation behavior that users should expect, after we fix this bug?

[yizha1]

@iamsamirzon

@yizha1 - A couple of more thoughts.

1. Is this bug present in both notation login and logout commands?

Yes

2. In what scenarios can users run into difficulties due to this bug? What is the mitigation?

When users use notation login/logout, and no Notation config for credential store. The mitigation is to manually create Notation config.json, and add credential store.

3. Is this one of the scenarios where customers may encounter unexpected behavior ? Imagine that Notation users are using a common credential helper that is used by other CLI clients ( docker, oras, notation, etc) running on the same host, then what will users expect out of Notation - A login/logout in other clients should login/logout them out of Notation and vice-versa?

This is not relevant to this bug. Please check the answers to question 5, it may help.

4. If we didn't have this bug, the would this statement be true for RC-7 - "When using a shared credential helper a login/logout in any of the clients sharing the same credential helper, will login/logout other clients"

Before RC-7, Notation still used credentials store to store the credentials securely. The login/logout behaviors are the same for credentials store. In RC-7 Notation support reading credentials from docker config file if credentials store is not configured. However, there is a bug in RC-7 that Notation only checks its own config, not docker config.

5. What is a good summary description of Notation behavior that users should expect, after we fix this bug?

• Notation login command uses credentials store to save the credentials securely, the credentials store detection order is Notation config first, then docker config, the last is OS default credential stores. The bug in RC-7 is that Notation didn't check the docker config if no credential store was found in its own config.
• Notation logout command will remove credentials from credential store as other clients, for example docker CLI
• If no credential stores are present in the system, and users logged in using docker CLI (since docker save plain text credentials by default if no credential store is present), Notation reads the credentials from docker config file. (This is useful for test environment or system that trusts docker config, but no credential store is present)

[iamsamirzon]

Thanks @yizha1 .So you are saying before RC-7/RC-6 one had to configure the Notation config.json file if they wanted to use a credential help. With RC-7/RC-6, we aimed to simplify that by having Notation look at docker.config automatically, but due to the bug, login/logout commands still don't automatically look at docker;s config.json

[yizha1]

@iamsamirzon Before RC-7/RC-6, notation commands support using credentials store from docker config, but this bug broke the experience for notation login/logout commands. What's new in RC-7/RC-6 is to enable read credentials from docker config if there is no credentials store present.

[priteshbandi]

#712 (comment)