mirror of
https://github.com/docker/docker-credential-helpers.git
synced 2026-06-13 16:01:28 +05:30
Sebastiaan van Stijn
62deeb49c1
go1.25.7 (released 2026-02-04) includes security fixes to the go command and the crypto/tls package, as well as bug fixes to the compiler and the crypto/x509 package. See the Go 1.25.7 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.25.7+label%3ACherryPickApproved full diff: https://github.com/golang/go/compare/go1.25.6...go1.25.7 From the security mailing list: > Hello gophers, > > We have just released Go versions 1.25.7 and 1.24.13, minor point releases. > > These releases include 2 security fixes following the security policy: > > - cmd/cgo: remove user-content from doc strings in cgo ASTs > > A discrepancy between how Go and C/C++ comments > were parsed allowed for code smuggling into the > resulting cgo binary. > > To prevent this behavior, the cgo compiler > will no longer parse user-provided doc > comments. > > Thank you to RyotaK (https://ryotak.net) of > GMO Flatt Security Inc. for reporting this issue. > > This is CVE-2025-61732 and https://go.dev/issue/76697. > > - crypto/tls: unexpected session resumption when using Config.GetConfigForClient > > Config.GetConfigForClient is documented to use the original Config's session > ticket keys unless explicitly overridden. This can cause unexpected behavior if > the returned Config modifies authentication parameters, like ClientCAs: a > connection initially established with the parent (or a sibling) Config can be > resumed, bypassing the modified authentication requirements. > > If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on the > server) or InsecureSkipVerify is false (on the client), crypto/tls now checks > that the root of the previously-verified chain is still in ClientCAs/RootCAs > when resuming a connection. > > Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar issue > related to session ticket keys being implicitly shared by Config.Clone. Since > this fix is broader, the Config.Clone behavior change has been reverted. > > Note that VerifyPeerCertificate still behaves as documented: it does not apply > to resumed connections. Applications that use Config.GetConfigForClient or > Config.Clone and do not wish to blindly resume connections established with the > original Config must use VerifyConnection instead (or SetSessionTicketKeys or > SessionTicketsDisabled). > > Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. > > This updates CVE-2025-68121 and Go issue https://go.dev/issue/77217. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
151 lines
4.9 KiB
Docker
151 lines
4.9 KiB
Docker
# syntax=docker/dockerfile:1
|
|
|
|
ARG GO_VERSION=1.25.7
|
|
ARG DEBIAN_VERSION=bookworm
|
|
|
|
ARG XX_VERSION=1.7.0
|
|
ARG OSXCROSS_VERSION=11.3-r8-debian
|
|
ARG GOLANGCI_LINT_VERSION=v2.8
|
|
|
|
ARG PACKAGE=github.com/docker/docker-credential-helpers
|
|
|
|
# xx is a helper for cross-compilation
|
|
FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
|
|
|
|
# osxcross contains the MacOSX cross toolchain for xx
|
|
FROM crazymax/osxcross:${OSXCROSS_VERSION} AS osxcross
|
|
|
|
FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-${DEBIAN_VERSION} AS gobase
|
|
COPY --from=xx / /
|
|
RUN apt-get update && apt-get install -y --no-install-recommends clang dpkg-dev file git lld llvm make pkg-config rsync
|
|
ENV GOFLAGS="-mod=vendor"
|
|
ENV CGO_ENABLED="1"
|
|
WORKDIR /src
|
|
|
|
FROM gobase AS vendored
|
|
RUN --mount=target=/context \
|
|
--mount=target=.,type=tmpfs \
|
|
--mount=target=/go/pkg/mod,type=cache <<EOT
|
|
set -e
|
|
rsync -a /context/. .
|
|
go mod tidy
|
|
go mod vendor
|
|
mkdir /out
|
|
cp -r go.mod go.sum vendor /out
|
|
EOT
|
|
|
|
FROM scratch AS vendor-update
|
|
COPY --from=vendored /out /
|
|
|
|
FROM vendored AS vendor-validate
|
|
RUN --mount=target=/context \
|
|
--mount=target=.,type=tmpfs <<EOT
|
|
set -e
|
|
rsync -a /context/. .
|
|
git add -A
|
|
rm -rf vendor
|
|
cp -rf /out/* .
|
|
if [ -n "$(git status --porcelain -- go.mod go.sum vendor)" ]; then
|
|
echo >&2 'ERROR: Vendor result differs. Please vendor your package with "make vendor"'
|
|
git status --porcelain -- go.mod go.sum vendor
|
|
exit 1
|
|
fi
|
|
EOT
|
|
|
|
FROM golangci/golangci-lint:${GOLANGCI_LINT_VERSION} AS golangci-lint
|
|
FROM gobase AS lint
|
|
RUN apt-get install -y binutils gcc libc6-dev libgcc-11-dev libsecret-1-dev pkg-config
|
|
RUN --mount=type=bind,target=. \
|
|
--mount=type=cache,target=/root/.cache \
|
|
--mount=from=golangci-lint,source=/usr/bin/golangci-lint,target=/usr/bin/golangci-lint \
|
|
golangci-lint run ./...
|
|
|
|
FROM gobase AS base
|
|
ARG TARGETPLATFORM
|
|
RUN xx-apt-get install -y binutils gcc libc6-dev libgcc-11-dev libsecret-1-dev pkg-config
|
|
|
|
FROM base AS test
|
|
RUN xx-apt-get install -y dbus-x11 gnome-keyring gpg-agent gpgconf libsecret-1-dev pass
|
|
RUN --mount=type=bind,target=. \
|
|
--mount=type=cache,target=/root/.cache \
|
|
--mount=type=cache,target=/go/pkg/mod <<EOT
|
|
set -e
|
|
cp -r .github/workflows/fixtures /root/.gnupg
|
|
gpg-connect-agent "RELOADAGENT" /bye
|
|
gpg --import --batch --yes /root/.gnupg/7D851EB72D73BDA0.key
|
|
gpg --update-trustdb
|
|
echo '5\ny\n' | gpg --command-fd 0 --no-tty --edit-key 7D851EB72D73BDA0 trust
|
|
gpg-connect-agent "PRESET_PASSPHRASE 3E2D1142AA59E08E16B7E2C64BA6DDC773B1A627 -1 77697468207374757069642070617373706872617365" /bye
|
|
gpg-connect-agent "KEYINFO 3E2D1142AA59E08E16B7E2C64BA6DDC773B1A627" /bye
|
|
gpg-connect-agent "PRESET_PASSPHRASE BA83FC8947213477F28ADC019F6564A956456163 -1 77697468207374757069642070617373706872617365" /bye
|
|
gpg-connect-agent "KEYINFO BA83FC8947213477F28ADC019F6564A956456163" /bye
|
|
pass init 7D851EB72D73BDA0
|
|
gpg -k
|
|
|
|
mkdir /out
|
|
xx-go --wrap
|
|
make test COVERAGEDIR=/out
|
|
EOT
|
|
|
|
FROM scratch AS test-coverage
|
|
COPY --from=test /out /
|
|
|
|
FROM gobase AS version
|
|
RUN --mount=target=. \
|
|
echo -n "$(./hack/git-meta version)" | tee /tmp/.version ; echo -n "$(./hack/git-meta revision)" | tee /tmp/.revision
|
|
|
|
FROM base AS build
|
|
ARG PACKAGE
|
|
RUN --mount=type=bind,target=. \
|
|
--mount=type=cache,target=/root/.cache \
|
|
--mount=type=cache,target=/go/pkg/mod \
|
|
--mount=type=bind,from=osxcross,src=/osxsdk,target=/xx-sdk \
|
|
--mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=version \
|
|
--mount=type=bind,source=/tmp/.revision,target=/tmp/.revision,from=version <<EOT
|
|
set -ex
|
|
export MACOSX_VERSION_MIN=$(make print-MACOSX_DEPLOYMENT_TARGET)
|
|
xx-go --wrap
|
|
case "$(xx-info os)" in
|
|
linux)
|
|
make build-pass build-secretservice PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
|
|
xx-verify /out/docker-credential-pass
|
|
xx-verify /out/docker-credential-secretservice
|
|
;;
|
|
darwin)
|
|
go install std
|
|
make build-osxkeychain build-pass PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
|
|
xx-verify /out/docker-credential-osxkeychain
|
|
xx-verify /out/docker-credential-pass
|
|
;;
|
|
windows)
|
|
make build-wincred PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
|
|
mv /out/docker-credential-wincred /out/docker-credential-wincred.exe
|
|
xx-verify /out/docker-credential-wincred.exe
|
|
;;
|
|
esac
|
|
EOT
|
|
|
|
FROM scratch AS binaries
|
|
COPY --from=build /out /
|
|
|
|
FROM --platform=$BUILDPLATFORM alpine AS releaser
|
|
WORKDIR /work
|
|
ARG TARGETOS
|
|
ARG TARGETARCH
|
|
ARG TARGETVARIANT
|
|
RUN --mount=from=binaries \
|
|
--mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=version <<EOT
|
|
set -e
|
|
mkdir /out
|
|
version="$(cat /tmp/.version)"
|
|
[ "$TARGETOS" = "windows" ] && ext=".exe"
|
|
for f in *; do
|
|
cp "$f" "/out/${f%.*}-${version}.${TARGETOS}-${TARGETARCH}${TARGETVARIANT}${ext}"
|
|
done
|
|
EOT
|
|
|
|
FROM scratch AS release
|
|
COPY --from=releaser /out/ /
|
|
|
|
FROM binaries
|