Verifying credentials not finishing

[ushiii111798]

• I have tried with the latest version of Docker Desktop
• I have tried disabling enabled experimental features
• I have uploaded Diagnostics
• Diagnostics ID: 63F28938-D227-4C4C-B179-36392EC0D1E0/20220902021549

Expected behavior

Successfully Sign in

Actual behavior

After sign in via web browser, Docker desktop hang with verifying credentials

Information

It is totally reproducible

• macOS Version: macOS 13 beta 6
• Intel chip or Apple chip: M1 Pro
• Docker Desktop Version: 4.12.0

Output of /Applications/Docker.app/Contents/MacOS/com.docker.diagnose check

Steps to reproduce the behavior

just to try signing in

[kaorihinata]

Just confirming as I can't tell with the provided information, but does this cover the registry login issue with 4.12.0, and Ventura Beta 6? Are you also seeing a reproducible hang with docker login? This was a holdover from 4.11.x, and was mentioned in #6465, but I do want to make it clear to people coming from #6465 as to whether or not this ticket covers the issues they are having.

[jovezhong]

Same GUI issue on Mac Ventura Beta 4(13.0 Beta 22A5331f).

For CLI

docker version

Client:
Cloud integration: v1.0.29
Version: 20.10.17
API version: 1.41
Go version: go1.17.11
Git commit: 100c701
Built: Mon Jun 6 23:04:45 2022
OS/Arch: darwin/arm64
Context: default
Experimental: true

Server: Docker Desktop 4.12.0 (85629)
Engine:
Version: 20.10.17
API version: 1.41 (minimum version 1.12)
Go version: go1.17.11
Git commit: a89b842
Built: Mon Jun 6 23:01:01 2022
OS/Arch: linux/arm64
Experimental: false
containerd:
Version: 1.6.8
GitCommit: 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6
runc:
Version: 1.1.4
GitCommit: v1.1.4-0-g5fd4c4d
docker-init:
Version: 0.19.0
GitCommit: de40ad0

docker login

Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: ***
Password:
Error saving credentials: error storing credentials - err: exit status 1, out: Post "http://ipc/registry/credstore-updated": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

[acacioes]

Same GUI issue on Mac Ventura Beta 4(13.0 Beta 22A5331f).

For CLI

docker version

Client:
Cloud integration: v1.0.29
Version: 20.10.17
API version: 1.41
Go version: go1.17.11
Git commit: 100c701
Built: Mon Jun 6 23:04:45 2022
OS/Arch: darwin/arm64
Context: default
Experimental: true
Server: Docker Desktop 4.12.0 (85629)
Engine:
Version: 20.10.17
API version: 1.41 (minimum version 1.12)
Go version: go1.17.11
Git commit: a89b842
Built: Mon Jun 6 23:01:01 2022
OS/Arch: linux/arm64
Experimental: false
containerd:
Version: 1.6.8
GitCommit: 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6
runc:
Version: 1.1.4
GitCommit: v1.1.4-0-g5fd4c4d
docker-init:
Version: 0.19.0
GitCommit: de40ad0

docker login

Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: ***
Password:
Error saving credentials: error storing credentials - err: exit status 1, out: Post "http://ipc/registry/credstore-updated": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

I have the same problem, how about it now?

[jovezhong]

Cool, by checking the doc, I found a workaround:

• vim $HOME/.docker/config.json change credsStore value from "desktop" to "osxkeychain"
• docker login will pass with the following warning

Login Succeeded

Logging in with your password grants your terminal complete access to your account.
For better security, log in with a limited-privilege personal access token. Learn more at https://docs.docker.com/go/access-tokens/

Since we are not using desktop credential store, your Docker Desktop remains unauthenticated, but good for CLI.

Hope it helps

[kaorihinata]

Yeah, that's the issue I'm seeing. Another way I've been able to work around it on the CLI is by attempting to docker login, immediately aborting with CTRL+C without waiting for it to timeout, then running the same command again. The second time it succeeds (for me, at least), with one caveat: after a certain amount of time it will fail to work again.

For example, the following would probably succeed:

1. docker login.
2. Abort the docker login before it times out.
3. docker login again.
4. Assuming it succeeds, perform some action with the registry (push an image or manifest, for example.) Something quick that will interact with the registry immediately.
5. docker logout.

However, the following would probably fail:

1. docker login.
2. Abort the docker login before it times out.
3. docker login again.
4. Perform a docker build which takes a few minutes to run.
5. Perform some action with the registry (push an image or manifest, for example.)

Most likely at this point you will receive an access denied while attempting to interact with the remote registry. It feels like running docker login the first time ties up something on the backend (or it just never starts in the first place), and when you abort early and try again, another instance of that something is started up which handles the login correctly. I wouldn't know what pieces are in play here, but perhaps the developers will be able to glean something useful from these interactions.

[kaorihinata]

Following on from the above, the following only appears in the system logs (via Utilities/Console.app) if the command is going to timeout:

error	15:10:22.012968-0400	taskgated-helper	Disallowing docker-credential-osxkeychain because no eligible provisioning profiles found
error	15:10:22.100985-0400	docker-credential-osxkeychain	open flag(s) 0x01000000 are reserved for VFS use and do not affect behaviour when passed to sqlite3_open_v2
error	15:10:22.101015-0400	docker-credential-osxkeychain	cannot open file at line 46870 of [bc8a7f24e4]
error	15:10:22.101022-0400	docker-credential-osxkeychain	os_unix.c:46870: (2) open(/private/var/db/DetachedSignatures) - No such file or directory
error	15:13:33.871941-0400	docker-credential-osxkeychain	open flag(s) 0x01000000 are reserved for VFS use and do not affect behaviour when passed to sqlite3_open_v2
error	15:13:33.871994-0400	docker-credential-osxkeychain	cannot open file at line 46870 of [bc8a7f24e4]
error	15:13:33.872004-0400	docker-credential-osxkeychain	os_unix.c:46870: (2) open(/private/var/db/DetachedSignatures) - No such file or directory
error	15:16:05.425729-0400	docker-credential-osxkeychain	open flag(s) 0x01000000 are reserved for VFS use and do not affect behaviour when passed to sqlite3_open_v2
error	15:16:05.425765-0400	docker-credential-osxkeychain	cannot open file at line 46870 of [bc8a7f24e4]
error	15:16:05.425776-0400	docker-credential-osxkeychain	os_unix.c:46870: (2) open(/private/var/db/DetachedSignatures) - No such file or directory

Let me know if there's anything I can do to provide more information.

Edit: To clarify, I performed the above sequence 3 times, which is why there is 3 groups of lines.

[kaorihinata]

I believe I have an explanation for this behavior now. docker-credential-desktop appears to be the culprit.

When you first attempt to docker login, this spins up docker-credential-desktop store to insert the credential into the credential store in the background, then blocks while waiting for a response. So long as this store attempt is alive, the potential credential remains in the credential store. Aborting docker login at this point does not stop the docker-credential-desktop store instance running in the background, and when you spin up another instance of docker login, this spins up another instance of docker-credential-desktop, but this time it simply docker-credential-desktop gets the existing credential. If at any point during your usage the previous store attempt finally times out, the credential is wiped from the store, and will break anything you do after that. There appears to be a similar hang when attempting a docker-credential-desktop erase.

Edit: Well, docker-credential-desktop, or whatever it's communicating with is the culprit I mean.
Edit 2: I forgot to mention, but I have tested this, and you can as well if you'd like. The credential is visible using docker-credentials-desktop list for the duration of the attempted store operation.

[peterkc]

@kaorihinata Notable. Docker Desktop will always reset credsStore in $HOME/config.json to desktop.

I was able to use credHelpers as a workaround for docker login.

{
  "credsStore": "desktop",
  "credHelpers": {
    "": "osxkeychain",
    "ghcr.io": "osxkeychain",
    "registry.hub.docker.com": "osxkeychain"
  }
}

macOS Version: Ventura 13.0 Beta 6 (22A5331f)
Intel chip or Apple chip: M1 Max
Docker Desktop Version: 4.12.0

[Dids]

@kaorihinata Notable. Docker Desktop will always reset credsStore in $HOME/config.json to desktop.

I was able to use credHelpers as a workaround for docker login.

{
  "credsStore": "desktop",
  "credHelpers": {
    "": "osxkeychain",
    "ghcr.io": "osxkeychain",
    "registry.hub.docker.com": "osxkeychain"
  }
}

macOS Version: Ventura 13.0 Beta 6 (22A5331f) Intel chip or Apple chip: M1 Max Docker Desktop Version: 4.12.0

Should this also solve the Docker Desktop/Dashboard app getting stuck on "Verifying credentials..." and locking up the entire desktop app? Because it unfortunately doesn't, at least not for me.

EDIT: Never mind, you clearly specified it as a workaround for docker login only. My bad!

[gawbul]

Seems to be working now for me in macOS 13.0 beta 7 (22A5342f)?

$ /Applications/Docker.app/Contents/MacOS/com.docker.diagnose check
Starting diagnostics

[PASS] DD0027: is there available disk space on the host?
[PASS] DD0028: is there available VM disk space?
[PASS] DD0031: does the Docker API work?
[PASS] DD0004: is the Docker engine running?
[PASS] DD0011: are the LinuxKit services running?
[PASS] DD0016: is the LinuxKit VM running?
[PASS] DD0001: is the application running?
[PASS] DD0018: does the host support virtualization?
[PASS] DD0017: can a VM be started?
[PASS] DD0015: are the binary symlinks installed?
[PASS] DD0003: is the Docker CLI working?
[PASS] DD0013: is the $PATH ok?
[PASS] DD0007: is the backend responding?
[PASS] DD0014: are the backend processes running?
[PASS] DD0008: is the native API responding?
[PASS] DD0009: is the vpnkit API responding?
[PASS] DD0010: is the Docker API proxy responding?
[PASS] DD0012: is the VM networking working?
[PASS] DD0032: do Docker networks overlap with host IPs?
[SKIP] DD0030: is the image access management authorized?
[PASS] DD0019: is the com.docker.vmnetd process responding?
[PASS] DD0033: does the host have Internet access?
No fatal errors detected.

[kaorihinata]

@gawbul Can confirm that. I've removed @peterkc 's workaround and things are still working. Interface also seems responsive, so I assume communication with the backend is working now as well.

[zimmix]

Update to Monterey Beta 7 fixed all of my Docker login issues.

[ushiii111798]

Update will fix all!! Beta Software cause the error!!

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle locked