From 458d3fdc93d6185e68c4eb83c00c68d5e1590ad2 Mon Sep 17 00:00:00 2001 From: Rackoon <32634987+WildRackoon@users.noreply.github.com> Date: Fri, 19 Dec 2025 20:01:21 +0100 Subject: [PATCH 1/3] Allow using credential 'filestore' explicitly Signed-off-by: Rackoon <32634987+WildRackoon@users.noreply.github.com> --- cli/config/configfile/file.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cli/config/configfile/file.go b/cli/config/configfile/file.go index fab3ed4cba13..3dfae04818e6 100644 --- a/cli/config/configfile/file.go +++ b/cli/config/configfile/file.go @@ -290,6 +290,9 @@ func (configFile *ConfigFile) GetCredentialsStore(registryHostname string) crede store := credentials.NewFileStore(configFile) if helper := getConfiguredCredentialStore(configFile, registryHostname); helper != "" { + if helper == "filestore" { + return store + } store = newNativeStore(configFile, helper) } From ee43f57028da98b93f863ef0390158134c94ce4d Mon Sep 17 00:00:00 2001 From: Rackoon <32634987+WildRackoon@users.noreply.github.com> Date: Fri, 19 Dec 2025 20:12:14 +0100 Subject: [PATCH 2/3] Document reserved 'filestore' usage Signed-off-by: Rackoon <32634987+WildRackoon@users.noreply.github.com> --- docs/reference/commandline/login.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/reference/commandline/login.md b/docs/reference/commandline/login.md index 95efbc9de245..7f6201f50d46 100644 --- a/docs/reference/commandline/login.md +++ b/docs/reference/commandline/login.md @@ -83,6 +83,9 @@ For example, to use `docker-credential-osxkeychain`: } ``` +The reserved value `filestore` can be used to store the base64-encoded +credentials directly in the `config.json` configuration file. + If you are currently logged in, run `docker logout` to remove the credentials from the file and run `docker login` again. @@ -92,7 +95,7 @@ By default, Docker looks for the native binary on each of the platforms, i.e. `osxkeychain` on macOS, `wincred` on Windows, and `pass` on Linux. A special case is that on Linux, Docker will fall back to the `secretservice` binary if it cannot find the `pass` binary. If none of these binaries are present, it -stores the base64-encoded credentials in the `config.json` configuration file. +follows the `filestore` behavior described above. #### Credential helper protocol From ebb3d466bd48ee37ba50334299ff15a5c0ed608b Mon Sep 17 00:00:00 2001 From: Rackoon <32634987+WildRackoon@users.noreply.github.com> Date: Fri, 19 Dec 2025 21:27:12 +0100 Subject: [PATCH 3/3] Fix ambiguous doc on credential store fallback Signed-off-by: Rackoon <32634987+WildRackoon@users.noreply.github.com> --- docs/reference/commandline/login.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/docs/reference/commandline/login.md b/docs/reference/commandline/login.md index 7f6201f50d46..2fd24c545a91 100644 --- a/docs/reference/commandline/login.md +++ b/docs/reference/commandline/login.md @@ -30,14 +30,15 @@ store](#credential-stores). If you use Docker Desktop, credentials are automatically saved to the native keychain of your operating system. If you're not using Docker Desktop, you can configure the credential store in the Docker configuration file, which is located at `$HOME/.docker/config.json` on Linux or -`%USERPROFILE%/.docker/config.json` on Windows. If you don't configure a -credential store, Docker stores credentials in the `config.json` file in a -base64-encoded format. This method is less secure than configuring and using a -credential store. +`%USERPROFILE%/.docker/config.json` on Windows. -`docker login` also supports [credential helpers](#credential-helpers) to help +`docker login` supports [credential helpers](#credential-helpers) to help you handle credentials for specific registries. +If you don't configure a credential store and no credential helper is available, +Docker stores credentials in the `config.json` file in a base64-encoded format. +This method is less secure than configuring and using a credential store. + ### Authentication methods You can authenticate to a registry using a username and access token or