bottlerocket-os · sky1122 · Feb 17, 2026 · arnaldo2792 · Feb 24, 2026 · arnaldo2792
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -28,6 +28,7 @@ members = [
   "packages/e2fsprogs",
   "packages/early-boot-config",
   "packages/ecr-credential-helper",
+  "packages/ecr-credential-helper-shim",
   "packages/ecr-credential-provider-1.29",
   "packages/ecr-credential-provider-1.30",
   "packages/ecr-credential-provider-1.31",

diff --git a/kits/bottlerocket-core-kit/Cargo.toml b/kits/bottlerocket-core-kit/Cargo.toml
@@ -37,6 +37,7 @@ docker-init = { path = "../../packages/docker-init" }
 e2fsprogs = { path = "../../packages/e2fsprogs" }
 early-boot-config = { path = "../../packages/early-boot-config" }
 ecr-credential-helper = { path = "../../packages/ecr-credential-helper" }
+ecr-credential-helper-shim = { path = "../../packages/ecr-credential-helper-shim" }
 ecr-credential-provider-1_29 = { path = "../../packages/ecr-credential-provider-1.29" }
 ecr-credential-provider-1_30 = { path = "../../packages/ecr-credential-provider-1.30" }
 ecr-credential-provider-1_31 = { path = "../../packages/ecr-credential-provider-1.31" }

diff --git a/packages/ecr-credential-helper-shim/Cargo.toml b/packages/ecr-credential-helper-shim/Cargo.toml
@@ -0,0 +1,15 @@
+[package]
+name = "ecr-credential-helper-shim"
+version = "0.1.0"
+edition = "2021"
+publish = false
+build = "../build.rs"
+
+[package.metadata.build-package]
+source-groups = [ "ecr-credential-helper-shim" ]
+
+[lib]
+path = "../packages.rs"
+
+[build-dependencies]
+glibc = { path = "../glibc" }
diff --git a/packages/ecr-credential-helper-shim/ecr-credential-helper-shim.spec b/packages/ecr-credential-helper-shim/ecr-credential-helper-shim.spec
@@ -0,0 +1,29 @@
+%global _cross_first_party 1
+%undefine _debugsource_packages
+
+Name: %{_cross_os}ecr-credential-helper-shim
+Version: 0.1.0
+Release: 1%{?dist}
+Summary: FIPS shim for ECR credential helper
+License: Apache-2.0 OR MIT
+URL: https://github.com/bottlerocket-os/bottlerocket
+BuildRequires: %{_cross_os}glibc-devel
+
+%description
+%{summary}.
+
+%prep
+%setup -T -c
+%cargo_prep
+
+%build
+%cargo_build --manifest-path %{_builddir}/sources/Cargo.toml \
+    -p ecr-credential-helper-shim \
+    --target-dir=${HOME}/.cache/ecr-credential-helper-shim
+
+%install
+install -d %{buildroot}%{_cross_bindir}
+install -p -m 0755 ${HOME}/.cache/ecr-credential-helper-shim/%{__cargo_target}/release/ecr-credential-helper-shim %{buildroot}%{_cross_bindir}/docker-credential-ecr-login
+
+%files
+%{_cross_bindir}/docker-credential-ecr-login
diff --git a/packages/ecr-credential-helper/ecr-credential-helper.spec b/packages/ecr-credential-helper/ecr-credential-helper.spec
@@ -8,6 +8,7 @@
 %global _dwz_low_mem_die_limit 0
 
 Name: %{_cross_os}ecr-credential-helper
+Requires: %{_cross_os}ecr-credential-helper-shim
 Version: %{rpmver}
 Release: 1%{?dist}
 Summary: Amazon ECR credential helper
@@ -31,14 +32,12 @@ BuildRequires: %{_cross_os}glibc-devel
 %cross_go_setup %{gorepo}-%{gover} %{goproject} %{goimport}
 
 %build
-# cross_go_configure cd's to the correct GOPATH location
 %cross_go_configure %{goimport}
-
 go build -ldflags="${GOLDFLAGS}" -o=docker-credential-ecr-login ./ecr-login/cli/docker-credential-ecr-login
 
 %install
-install -d %{buildroot}%{_cross_bindir}
-install -p -m 0755 docker-credential-ecr-login %{buildroot}%{_cross_bindir}
+install -d %{buildroot}%{_cross_libexecdir}
+install -p -m 0755 docker-credential-ecr-login %{buildroot}%{_cross_libexecdir}
 
 install -d %{buildroot}%{_cross_tmpfilesdir}
 install -p -m0644 %{S:10} %{buildroot}%{_cross_tmpfilesdir}/ecr-credential-helper.conf
@@ -55,9 +54,8 @@ install -p -m0600 %{S:13} %{buildroot}%{_cross_factorydir}/root/.docker/config.j
 %license LICENSE
 %{_cross_attribution_file}
 %{_cross_attribution_vendor_dir}
-%{_cross_bindir}/docker-credential-ecr-login
+%{_cross_libexecdir}/docker-credential-ecr-login
 %{_cross_factorydir}/root/.docker/config.json
 %{_cross_tmpfilesdir}/ecr-credential-helper.conf
 %{_cross_unitdir}/root-.docker.mount
 %{_cross_unitdir}/root-.ecr.mount
-
diff --git a/sources/Cargo.lock b/sources/Cargo.lock
diff --git a/sources/Cargo.toml b/sources/Cargo.toml
@@ -83,6 +83,8 @@ members = [
     "xfscli",
 
     "whippet",
+
+    "ecr-credential-helper-shim",
 ]
 
 [workspace.dependencies]

diff --git a/sources/ecr-credential-helper-shim/Cargo.toml b/sources/ecr-credential-helper-shim/Cargo.toml
@@ -0,0 +1,11 @@
+
+[package]
+name = "ecr-credential-helper-shim"
+version = "0.1.0"
+authors = ["Jingwei Wang <jweiw@amazon.com>"]
+license = "Apache-2.0 OR MIT"
+edition = "2021"
+publish = false
+# Don't rebuild crate just because of changes to README.
+exclude = ["README.md"]
+
diff --git a/sources/ecr-credential-helper-shim/src/main.rs b/sources/ecr-credential-helper-shim/src/main.rs
@@ -0,0 +1,21 @@
+use std::env;
+use std::process::{self, Command};
+
+fn main() {
+    let godebug = env::var("GODEBUG")
+        .unwrap_or_default()
+        .replace("fips140=only", "fips140=on");
+
+    let status = Command::new("/usr/libexec/docker-credential-ecr-login")
+        .args(env::args().skip(1))
+        .env("GODEBUG", &godebug)
+        .status();
+
+    match status {
+        Ok(s) => process::exit(s.code().unwrap_or(1)),
+        Err(err) => {
+            eprintln!("Failed to exec /usr/libexec/docker-credential-ecr-login: {err}");
+            process::exit(1);
+        }
+    }
+}
diff --git a/sources/notation-image-verifier/main.go b/sources/notation-image-verifier/main.go
@@ -64,6 +64,7 @@ func main() {
 	// Bottlerocket does not have a $HOME set by default and notation expect to find
 	// credentials from the ecr-credential-helper here.
 	os.Setenv("HOME", "/root")
+	os.Setenv("GODEBUG", "fips140=on")
 
 	cmd := exec.Command("notation", "verify", imageRef)
 	output, err := cmd.CombinedOutput()