Merge pull request #362 from akerouanton/retract-v0.9.0

go.mod: retract v0.9.0
2026-06-28 15:21:29 +05:30 · 2025-02-28 13:10:46 +01:00 · 2025-02-28 13:05:40 +01:00 · 2025-02-28 12:51:02 +01:00 · 2025-02-28 12:19:53 +01:00 · 2025-02-28 10:00:35 +01:00
2 changed files with 12 additions and 4 deletions
@@ -2,6 +2,8 @@ module github.com/docker/docker-credential-helpers

 go 1.21

+retract v0.9.0 // osxkeychain: a regression caused backward-incompatibility with earlier versions
+
 require (
 	github.com/danieljoos/wincred v1.2.2
 	github.com/keybase/go-keychain v0.0.1
@@ -117,8 +117,6 @@ func (h Osxkeychain) List() (map[string]string, error) {
 		default:
 			return nil, err
 		}
-	} else if len(res) == 0 {
-		return nil, credentials.NewErrCredentialsNotFound()
 	}

 	resp := make(map[string]string)
@@ -131,14 +129,22 @@ func (h Osxkeychain) List() (map[string]string, error) {
 	return resp, nil
 }

+const (
+	// Hardcoded protocol types matching their Objective-C equivalents.
+	// https://developer.apple.com/documentation/security/ksecattrprotocolhttps?language=objc
+	kSecProtocolTypeHTTPS = "htps" // This is NOT a typo.
+	// https://developer.apple.com/documentation/security/ksecattrprotocolhttp?language=objc
+	kSecProtocolTypeHTTP = "http"
+)
+
 func splitServer(serverURL string, item keychain.Item) error {
 	u, err := registryurl.Parse(serverURL)
 	if err != nil {
 		return err
 	}
-	item.SetProtocol("https")
+	item.SetProtocol(kSecProtocolTypeHTTPS)
 	if u.Scheme == "http" {
-		item.SetProtocol("http")
+		item.SetProtocol(kSecProtocolTypeHTTP)
 	}
 	item.SetServer(u.Hostname())
 	if p := u.Port(); p != "" {
Author	SHA1	Message	Date
Albin Kerouanton	833d2c334f	Merge pull request #362 from akerouanton/retract-v0.9.0 go.mod: retract v0.9.0	2025-02-28 13:10:46 +01:00
Albin Kerouanton	9651bf7802	go.mod: retract v0.9.0 Commit `4cdcdc2` introduced two regressions in the `osxkeychain` credential helper, on `list` and `get` operations. These were addressed in: - Commit `c7514a0`: osxkeychain: list: do not error out when keychain is empty - Commit `f4cdabf`: osxkeychain: store: use Apple's proto consts Signed-off-by: Albin Kerouanton <albinker@gmail.com>	2025-02-28 13:05:40 +01:00
Sebastiaan van Stijn	26274da6cf	Merge pull request #361 from akerouanton/fix-regressions-v0.9.0 [v0.9.0] osxkeychain: fix regressions on get and list	2025-02-28 12:51:02 +01:00
Albin Kerouanton	f4cdabf916	osxkeychain: store: use Apple's proto consts Commit `4cdcdc2` swapped consts `kSecProtocolTypeHTTPS` and `kSecProtocolTypeHTTP` with plain-text "https" and "http" strings. This is causing a regression where credentials stored with prior versions (< v0.9.0) can't be fetched anymore. Unfortunately we can't just revert back to using Objective-C consts, as these are unsigned integers that need to be converted into `CFStringRef` and then passed to an helper like `keychain.CFStringToString`. Although `keychain.CFStringToString` is exported, it takes a C type `C.CFStringRef` so it's not consumable from other packages due to Cgo restrictions: > Cgo translates C types into equivalent unexported Go types. Because > the translations are unexported, a Go package should not expose C > types in its exported API: a C type used in one Go package is > different from the same C type used in another. We could alternatively copy `keychain.CFStringToString` into the `osxkeychain` package, but this commit takes a simpler approach: just hardcode the value of `kSecProtocolTypeHTTPS` and `kSecProtocolTypeHTTP` as strings. (These consts are very unlikely to ever change since it'd break all existing consumers.) This is NOT handling backward compatibility with v0.9.0, since it was released only 12hrs ago. So this fix won't work with credentials created with v0.9.0. Signed-off-by: Albin Kerouanton <albinker@gmail.com>	2025-02-28 12:19:53 +01:00
Albin Kerouanton	c7514a0999	osxkeychain: list: do not error out when keychain is empty Commit `4cdcdc2` replaced the in-tree Objective-C code with github.com/keybase/go-keychain and inadvertently introduced a new failure mode on the `List` operation - it now fails when the keychain is empty. Before: ``` $ ./bin/build/docker-credential-osxkeychain list {} ``` After: ``` $ ./bin/build/docker-credential-osxkeychain list credentials not found in native keychain ``` Signed-off-by: Albin Kerouanton <albinker@gmail.com>	2025-02-28 10:00:35 +01:00