Docker registry token defaults to "A"

[MarkRx]

brew doctor output

bash-3.2$ brew doctor
Your system is ready to brew.

Verification

• My "brew doctor output" above says Your system is ready to brew. and am still able to reproduce my issue.
• I ran brew update twice and am still able to reproduce my issue.
• This issue's title and/or description do not reference a single formula e.g. brew install wget. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.

brew config output

bash-3.2$ brew config
HOMEBREW_VERSION: >=4.1.0 (shallow or no git repository)
ORIGIN: (none)
HEAD: (none)
Last commit: never
Core tap JSON: 14 Feb 20:32 UTC
Core cask tap JSON: 14 Feb 20:33 UTC
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_ARTIFACT_DOMAIN: https://myrepository.com/artifactory/homebrew-remote
HOMEBREW_CASK_OPTS: []
HOMEBREW_MAKE_JOBS: 8
HOMEBREW_NO_AUTO_UPDATE: set
Homebrew Ruby: 3.1.4 => /opt/homebrew/Library/Homebrew/vendor/portable-ruby/3.1.4/bin/ruby
CPU: octa-core 64-bit arm_firestorm_icestorm
Clang: 15.0.0 build 1500
Git: 2.43.2 => /opt/homebrew/bin/git
Curl: 8.1.2 => /usr/bin/curl
macOS: 13.6-arm64
CLT: 15.1.0.0.1.1700200546
Xcode: 15.2
Rosetta 2: false

What were you trying to do (and why)?

Connect to a private repository using anonymous access

What happened (include all command output)?

The default Authorization: Bearer token sent is QQ== ("A"). As a result anonymous access fails.

bash-3.2$ brew install openjdk@17 --verbose
==> Downloading https://myrepository.com/artifactory/homebrew-remote/v2/homebrew/core/openjdk/17/manifests/17.0.9
Already downloaded: /Users/homebrew/Library/Caches/Homebrew/downloads/6274f55d293c4208920a5d52b3b06d4a9dedb0e7139b671f4f66fada2abbc486--openjdk@17-17.0.9.bottle_manifest.json
==> Fetching openjdk@17
==> Downloading https://myrepository.com/artifactory/homebrew-remote/v2/homebrew/core/openjdk/17/blobs/sha256:41eda5749bf9032865a1168a0306a5b089f3098433dc1b95eebe82bedb98f023
/usr/bin/env /opt/homebrew/Library/Homebrew/shims/shared/curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/4.X.Y\ (Macintosh;\ arm64\ Mac\ OS\ X\ 13.6)\ curl/8.1.2 --header Accept-Language:\ en --fail --retry 3 --header Authorization:\ Bearer\ QQ== --remote-time --output /Users/homebrew/Library/Caches/Homebrew/downloads/0979b1d425479e75863f78205c409052fa471b62c25cf53cdb97a96be46c5152--openjdk@17--17.0.9.arm64_ventura.bottle.tar.gz.incomplete --location https://myrepository.com/artifactory/homebrew-remote/v2/homebrew/core/openjdk/17/blobs/sha256:41eda5749bf9032865a1168a0306a5b089f3098433dc1b95eebe82bedb98f023
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 101 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (22) The requested URL returned error: 401
Error: openjdk@17: Failed to download resource "openjdk@17"
Download failed: https://myrepository.com/artifactory/homebrew-remote/v2/homebrew/core/openjdk/17/blobs/sha256:41eda5749bf9032865a1168a0306a5b089f3098433dc1b95eebe82bedb98f023

What did you expect to happen?

The request does not attempt to send an auth header because there is no token setup. Why is the default token "A"?

Step-by-step reproduction instructions (by running brew commands)

1. Configure brew to use a private repository using HOMEBREW_ARTIFACT_DOMAIN
2. Attempt to install a package
3. The install fails since an invalid auth header is sent

[Bo98]

Why is the default token "A"?

Because GitHub Packages is the default registry and it requires an authentication header (even though the value is bogus).

It can be customised with HOMEBREW_DOCKER_REGISTRY_TOKEN however (or HOMEBREW_DOCKER_REGISTRY_BASIC_AUTH_TOKEN for Basic auth instead of Bearer)

[MarkRx]

Unfortunately it seems those environment variables are not respected if set to nothing:

bash-3.2$ export HOMEBREW_DOCKER_REGISTRY_TOKEN=
bash-3.2$ export HOMEBREW_DOCKER_REGISTRY_BASIC_AUTH_TOKEN=

bash-3.2$ env | sort
. . .
HOME=/Users/homebrew
HOMEBREW_DOCKER_REGISTRY_BASIC_AUTH_TOKEN=
HOMEBREW_DOCKER_REGISTRY_TOKEN=
. . .

bash-3.2$ brew install openjdk@17 --verbose
==> Downloading https://myrepository.com/artifactory/homebrew-remote/v2/homebrew/core/openjdk/17/manifests/17.0.9
/usr/bin/env /opt/homebrew/Library/Homebrew/shims/shared/curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/4.X.Y\ (Macintosh;\ arm64\ Mac\ OS\ X\ 13.6)\ curl/8.1.2 --header Accept-Language:\ en --fail --retry 3 --header Accept:\ application/vnd.oci.image.index.v1+json --header Authorization:\ Bearer\ QQ== --remote-time --output /Users/homebrew/Library/Caches/Homebrew/downloads/6274f55d293c4208920a5d52b3b06d4a9dedb0e7139b671f4f66fada2abbc486--openjdk@17-17.0.9.bottle_manifest.json.incomplete --location https://myrepository.com/artifactory/homebrew-remote/v2/homebrew/core/openjdk/17/manifests/17.0.9
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 101 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (22) The requested URL returned error: 401

[MikeMcQuaid]

Unfortunately it seems those environment variables are not respected if set to nothing:

Correct.

To ensure we've understood correctly: you have a private Artifactory but it does not have any authentication?

[MarkRx]

There is authentication but we allow anonymous access on repository mirrors (remote repositories) on our private Artifactory instance. Hence homebrew-remote which mirrors ghcr.io does not require authentication.

We could create an account for homebrew access but I'd prefer not to as that creates additional overhead for password/token rotation.

[MikeMcQuaid]

We'll review a PR to fix this.

[colindean]

A potential quick fix for this might be to set HOMEBREW_GITHUB_PACKAGES_AUTH="Bearer QQ==" only when both:

• HOMEBREW_ARTIFACT_DOMAIN isn't set
• HOMEBREW_BOTTLE_DOMAIN isn't OR is set to the default (https://ghcr.io/v2/homebrew/core respectively)

brew/Library/Homebrew/brew.sh

Lines 955 to 963 in a570e4d

	if [[ -n "${HOMEBREW_DOCKER_REGISTRY_TOKEN}" ]]
	then
	export HOMEBREW_GITHUB_PACKAGES_AUTH="Bearer ${HOMEBREW_DOCKER_REGISTRY_TOKEN}"
	elif [[ -n "${HOMEBREW_DOCKER_REGISTRY_BASIC_AUTH_TOKEN}" ]]
	then
	export HOMEBREW_GITHUB_PACKAGES_AUTH="Basic ${HOMEBREW_DOCKER_REGISTRY_BASIC_AUTH_TOKEN}"
	else
	export HOMEBREW_GITHUB_PACKAGES_AUTH="Bearer QQ=="
	fi

One blind spot: Is sending QQ== something unique to ghcr.io, or does any Docker registry require a token and the clients just know to use this Base64'd A if otherwise unset?

[MikeMcQuaid]

Is sending QQ== something unique to ghcr.io

I think this is the case.

[MikeMcQuaid]

A potential quick fix

@colindean can you open a PR? Thanks.