Skip to content

source: add ecr-credential-helper-shim#836

Closed
sky1122 wants to merge 1 commit intobottlerocket-os:developfrom
sky1122:ecr-credential-helper-shim
Closed

source: add ecr-credential-helper-shim#836
sky1122 wants to merge 1 commit intobottlerocket-os:developfrom
sky1122:ecr-credential-helper-shim

Conversation

@sky1122
Copy link
Contributor

@sky1122 sky1122 commented Feb 17, 2026
edited
Loading

Issue number:

Closes #

Description of changes:
This is part of the changes to enable notation in fips140=only mode.
Introduce ecr-credential-helper-shim, a Rust binary that downgrades GODEBUG from fips140=only to fips140=on before exec'ing the Go-based ecr-credential-helper, since the Go ECR credential helper does not support fips140=only mode.

Testing done:

  • build ecs-3-fips and ecs-3 variants imaging signing test pass.
== when pulling public.ecr.aws/o7o0w6s5/public-alpine-clone:latest ==
Digest: sha256:85f2b723e106c34644cd5851d7e81ee87da98ac54672b29947c052a45d31dc2f
Status: Downloaded newer image for public.ecr.aws/o7o0w6s5/public-alpine-clone:latest
public.ecr.aws/o7o0w6s5/public-alpine-clone:latest
=======================

Waiter CommandExecuted failed: Waiter encountered a terminal failure state: For expression "Status" we matched expected path: "Failed"
== when pulling hello-world ==
Using default tag: latest
Error response from daemon: image verifier bindir blocked pull of docker.io/library/hello-world:latest with digest sha256:ef54e839ef541993b4e87f25e752f7cf4238fa55f017957c2eb44077083d7a6a for reason: verifier notation-image-verifier rejected image (exit code 1): verifying image: docker.io/library/hello-world@sha256:ef54e839ef541993b4e87f25e752f7cf4238fa55f017957c2eb44077083d7a6a
image verification failed: Error: signature verification failed: no signature is associated with "docker.io/library/hello-world@sha256:ef54e839ef541993b4e87f25e752f7cf4238fa55f017957c2eb44077083d7a6a", make sure the artifact was signed successfully
=======================

Waiter CommandExecuted failed: Waiter encountered a terminal failure state: For expression "Status" we matched expected path: "Failed"
== when pulling public.ecr.aws/o7o0w6s5/public-nginx-clone:latest ==
Error response from daemon: image verifier bindir blocked pull of public.ecr.aws/o7o0w6s5/public-nginx-clone:latest with digest sha256:bd1578eec775d0b28fd7f664b182b7e1fb75f1dd09f92d865dababe8525dfe8b for reason: verifier notation-image-verifier rejected image (exit code 1): verifying image: public.ecr.aws/o7o0w6s5/public-nginx-clone@sha256:bd1578eec775d0b28fd7f664b182b7e1fb75f1dd09f92d865dababe8525dfe8b
image verification failed: Error: signature verification failed for all the signatures associated with public.ecr.aws/o7o0w6s5/public-nginx-clone@sha256:bd1578eec775d0b28fd7f664b182b7e1fb75f1dd09f92d865dababe8525dfe8b

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@sky1122 sky1122 force-pushed the ecr-credential-helper-shim branch from 62fb013 to a15c282 Compare February 17, 2026 19:55
@sky1122
[skip ci]source: add ecr-credential-helper-shim
3c37ffd 
Introduce ecr-credential-helper-shim, a Rust binary that downgrades
GODEBUG from fips140=only to fips140=on before exec'ing the Go-based
ecr-credential-helper, since the Go ECR credential helper does not
support fips140=only mode.

Signed-off-by: Jingwei Wang <jweiw@amazon.com>
@sky1122 sky1122 force-pushed the ecr-credential-helper-shim branch from a15c282 to 3c37ffd Compare February 18, 2026 19:12
arnaldo2792
arnaldo2792 reviewed Feb 24, 2026
View reviewed changes
sources/ecr-credential-helper-shim/src/main.rs
Comment on lines +9 to +12
let status = Command::new("/usr/libexec/docker-credential-ecr-login")
.args(env::args().skip(1))
.env("GODEBUG", &godebug)
.status();
Copy link
Contributor

@arnaldo2792 arnaldo2792 Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than executing the call of the helper in a separate process (fork), you should exec the call instead:

https://www.man7.org/linux/man-pages/man3/exec.3.html

So that you don't have to capture the status, and you don't have to worry about handling STDOUT/STDERR in case they require special handling by whatever is calling your shim.

sources/notation-image-verifier/main.go
// Bottlerocket does not have a $HOME set by default and notation expect to find
// credentials from the ecr-credential-helper here.
os.Setenv("HOME", "/root")
os.Setenv("GODEBUG", "fips140=on")
Copy link
Contributor

@arnaldo2792 arnaldo2792 Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will notation break if fips140=only? Or did you do this to guarantee that the notation process that calls your shim also enforces fips140=on? If the only thing that breaks is the ECR helper, this shouldn't be needed.

packages/ecr-credential-helper-shim/Cargo.toml
@@ -0,0 +1,15 @@
[package]
Copy link
Contributor

@arnaldo2792 arnaldo2792 Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you clarify why a new package rather than using the OS package?

@sky1122
Copy link
Contributor Author

sky1122 commented Feb 26, 2026

Thanks for the review!!! That answer a lot of my questions and pros and cons.
Close this PR in favor of awslabs/amazon-ecr-credential-helper#1064

@sky1122 sky1122 closed this Feb 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arnaldo2792 arnaldo2792 arnaldo2792 left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sky1122 @arnaldo2792