From 34aaef5ddb21f0b3ece9f6dd48e5b110f4ade42e Mon Sep 17 00:00:00 2001
From: Mike Sul <mike.sul@foundries.io>
Date: Mon, 5 Jan 2026 14:13:20 +0100
Subject: [PATCH 1/2] reg_client: Normalize dockerhub hostname for auth

If a given reference refers to an image hosted in the dockerhub, then
the reference hostname must be normalized to the full dockerhub hostname
URL before searching auth material in the config file since
`docker login docker.io` sets a record for
`https://index.docker.io/v1/` in the docker's config file.

Signed-off-by: Mike Sul <mike.sul@foundries.io>
---
 internal/reg_client.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/reg_client.go b/internal/reg_client.go
index d50cf76..100f298 100644
--- a/internal/reg_client.go
+++ b/internal/reg_client.go
@@ -31,7 +31,7 @@ type RegistryClient struct {
 
 func ResolveAuthConfig(ctx context.Context, index *registrytypes.IndexInfo) registrytypes.AuthConfig {
 	cfg := config.LoadDefaultConfigFile(os.Stderr)
-	a, _ := cfg.GetAuthConfig(index.Name)
+	a, _ := cfg.GetAuthConfig(registry.GetAuthConfigKey(index))
 	return registrytypes.AuthConfig(a)
 }
 

From 78039692be22e7954d3767b06965e92563879088 Mon Sep 17 00:00:00 2001
From: Mike Sul <mike.sul@foundries.io>
Date: Wed, 7 Jan 2026 11:04:39 +0100
Subject: [PATCH 2/2] auth: Allow pulling apps from dockerhub

A fix that enables pulling compose apps hosted in the dockerhub.
Specifically, this change allows running
`docker pull | check docker.io/<repo>/<app>@sha256:<>`

Signed-off-by: Mike Sul <mike.sul@foundries.io>
---
 pkg/compose/auth.go | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/pkg/compose/auth.go b/pkg/compose/auth.go
index 721dffb..27ed9c2 100644
--- a/pkg/compose/auth.go
+++ b/pkg/compose/auth.go
@@ -2,9 +2,19 @@ package compose
 
 import (
 	"fmt"
+	"net/http"
+
 	"github.com/containerd/containerd/remotes/docker"
 	"github.com/docker/cli/cli/config/configfile"
-	"net/http"
+)
+
+const (
+	DefaultDockerRegistryHost = "registry-1.docker.io"
+	DefaultDockerIndexHost    = "https://index.docker.io/v1/"
+)
+
+type (
+	authCredsFunc func(string) (string, string, error)
 )
 
 func NewRegistryAuthorizer(cfg *configfile.ConfigFile, client *http.Client) docker.Authorizer {
@@ -14,12 +24,13 @@ func NewRegistryAuthorizer(cfg *configfile.ConfigFile, client *http.Client) dock
 	)
 }
 
-type (
-	authCredsFunc func(string) (string, string, error)
-)
-
 func getAuthCreds(cfg *configfile.ConfigFile) authCredsFunc {
 	return func(host string) (string, string, error) {
+		// containerd code translates "docker.io" into "registry-1.docker.io"
+		if host == DefaultDockerRegistryHost {
+			// but docker cli uses "https://index.docker.io/v1/" as the key to store auth config
+			host = DefaultDockerIndexHost
+		}
 		creds, err := cfg.GetAllCredentials()
 		if err != nil {
 			return "", "", err