From bc44cb899c00c43a6e7bfdaf5b39f4ecd785c168 Mon Sep 17 00:00:00 2001
From: Avi Deitcher <deitch@users.noreply.github.com>
Date: Tue, 15 Jul 2025 14:07:20 +0300
Subject: [PATCH] fix registry auth (#4146)

Signed-off-by: Avi Deitcher <avi@deitcher.net>
---
 src/cmd/linuxkit/pkg.go           |  2 +-
 src/cmd/linuxkit/pkglib/docker.go | 11 +++++++----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/cmd/linuxkit/pkg.go b/src/cmd/linuxkit/pkg.go
index 7d35b3049..462e8eafb 100644
--- a/src/cmd/linuxkit/pkg.go
+++ b/src/cmd/linuxkit/pkg.go
@@ -101,6 +101,6 @@ func pkgCmd() *cobra.Command {
 	cmd.PersistentFlags().BoolVar(&dirty, "force-dirty", false, "Force the pkg(s) to be considered dirty")
 	cmd.PersistentFlags().BoolVar(&devMode, "dev", false, "Force org and hash to $USER and \"dev\" respectively")
 
-	cmd.PersistentFlags().StringSliceVar(&registryCreds, "registry-creds", nil, "Registry auths to use for building images, format is <registry>=<username>:<password> OR <registry>=<registry-token>. If no username is provided, it is treated as a registry token. <registry> must be a URL, e.g. 'https://index.docker.io/'. May be provided as many times as desired. Will override anything in your default.")
+	cmd.PersistentFlags().StringSliceVar(&registryCreds, "registry-creds", nil, "Registry auths to use for building images, format is <registry>=<username>:<password> OR <registry>=<registry-token-base64>; do NOT forget to base64 encode it. If no username is provided, it is treated as a registry token. <registry> must be a URL, e.g. 'https://index.docker.io/'. May be provided as many times as desired. Will override anything in your default.")
 	return cmd
 }
diff --git a/src/cmd/linuxkit/pkglib/docker.go b/src/cmd/linuxkit/pkglib/docker.go
index 39bcd24e3..ebd9adcc3 100644
--- a/src/cmd/linuxkit/pkglib/docker.go
+++ b/src/cmd/linuxkit/pkglib/docker.go
@@ -593,10 +593,13 @@ func (dr *dockerRunnerImpl) build(ctx context.Context, tag, pkg, dockerContext,
 		cf = configfile.New("custom")
 		// merge imageBuildOpts.RegistryAuths into dockercfg
 		for registry, auth := range imageBuildOpts.RegistryAuths {
-			bareRegistry := strings.TrimPrefix(registry, "https://")
-			bareRegistry = strings.TrimPrefix(bareRegistry, "http://")
-			cf.AuthConfigs[bareRegistry] = dockerconfigtypes.AuthConfig{
-				ServerAddress: bareRegistry,
+			// special case for docker.io
+			registryWithoutScheme := strings.TrimPrefix(registry, "https://")
+			registryWithoutScheme = strings.TrimPrefix(registryWithoutScheme, "http://")
+			if registryWithoutScheme == "docker.io" || registryWithoutScheme == "index.docker.io" || registryWithoutScheme == "registry-1.docker.io" {
+				registry = "https://index.docker.io/v1/"
+			}
+			cf.AuthConfigs[registry] = dockerconfigtypes.AuthConfig{
 				Username:      auth.Username,
 				Password:      auth.Password,
 				RegistryToken: auth.RegistryToken,