Skip to content

source: add ecr-credential-helper-shim#836

Draft
sky1122 wants to merge 1 commit intobottlerocket-os:developfrom
sky1122:ecr-credential-helper-shim
Draft

source: add ecr-credential-helper-shim#836
sky1122 wants to merge 1 commit intobottlerocket-os:developfrom
sky1122:ecr-credential-helper-shim

Conversation

@sky1122
Copy link
Contributor

@sky1122 sky1122 commented Feb 17, 2026

Issue number:

Closes #

Description of changes:
This is part of the changes to enable notation in fips140=only mode.
Introduce ecr-credential-helper-shim, a Rust binary that downgrades GODEBUG from fips140=only to fips140=on before exec'ing the Go-based ecr-credential-helper, since the Go ECR credential helper does not support fips140=only mode.

Testing done:

  • build ecs-3-fips and ecs-3 variants imaging signing test pass.
== when pulling public.ecr.aws/o7o0w6s5/public-alpine-clone:latest ==
Digest: sha256:85f2b723e106c34644cd5851d7e81ee87da98ac54672b29947c052a45d31dc2f
Status: Downloaded newer image for public.ecr.aws/o7o0w6s5/public-alpine-clone:latest
public.ecr.aws/o7o0w6s5/public-alpine-clone:latest
=======================

Waiter CommandExecuted failed: Waiter encountered a terminal failure state: For expression "Status" we matched expected path: "Failed"
== when pulling hello-world ==
Using default tag: latest
Error response from daemon: image verifier bindir blocked pull of docker.io/library/hello-world:latest with digest sha256:ef54e839ef541993b4e87f25e752f7cf4238fa55f017957c2eb44077083d7a6a for reason: verifier notation-image-verifier rejected image (exit code 1): verifying image: docker.io/library/hello-world@sha256:ef54e839ef541993b4e87f25e752f7cf4238fa55f017957c2eb44077083d7a6a
image verification failed: Error: signature verification failed: no signature is associated with "docker.io/library/hello-world@sha256:ef54e839ef541993b4e87f25e752f7cf4238fa55f017957c2eb44077083d7a6a", make sure the artifact was signed successfully
=======================

Waiter CommandExecuted failed: Waiter encountered a terminal failure state: For expression "Status" we matched expected path: "Failed"
== when pulling public.ecr.aws/o7o0w6s5/public-nginx-clone:latest ==
Error response from daemon: image verifier bindir blocked pull of public.ecr.aws/o7o0w6s5/public-nginx-clone:latest with digest sha256:bd1578eec775d0b28fd7f664b182b7e1fb75f1dd09f92d865dababe8525dfe8b for reason: verifier notation-image-verifier rejected image (exit code 1): verifying image: public.ecr.aws/o7o0w6s5/public-nginx-clone@sha256:bd1578eec775d0b28fd7f664b182b7e1fb75f1dd09f92d865dababe8525dfe8b
image verification failed: Error: signature verification failed for all the signatures associated with public.ecr.aws/o7o0w6s5/public-nginx-clone@sha256:bd1578eec775d0b28fd7f664b182b7e1fb75f1dd09f92d865dababe8525dfe8b

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@sky1122 sky1122 force-pushed the ecr-credential-helper-shim branch from 62fb013 to a15c282 Compare February 17, 2026 19:55
Introduce ecr-credential-helper-shim, a Rust binary that downgrades
GODEBUG from fips140=only to fips140=on before exec'ing the Go-based
ecr-credential-helper, since the Go ECR credential helper does not
support fips140=only mode.

Signed-off-by: Jingwei Wang <jweiw@amazon.com>
@sky1122 sky1122 force-pushed the ecr-credential-helper-shim branch from a15c282 to 3c37ffd Compare February 18, 2026 19:12
Comment on lines +9 to +12
let status = Command::new("/usr/libexec/docker-credential-ecr-login")
.args(env::args().skip(1))
.env("GODEBUG", &godebug)
.status();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than executing the call of the helper in a separate process (fork), you should exec the call instead:

https://www.man7.org/linux/man-pages/man3/exec.3.html

So that you don't have to capture the status, and you don't have to worry about handling STDOUT/STDERR in case they require special handling by whatever is calling your shim.

// Bottlerocket does not have a $HOME set by default and notation expect to find
// credentials from the ecr-credential-helper here.
os.Setenv("HOME", "/root")
os.Setenv("GODEBUG", "fips140=on")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will notation break if fips140=only? Or did you do this to guarantee that the notation process that calls your shim also enforces fips140=on? If the only thing that breaks is the ECR helper, this shouldn't be needed.

@@ -0,0 +1,15 @@
[package]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you clarify why a new package rather than using the OS package?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants