diff --git a/scripts/push-manifest.sh b/scripts/push-manifest.sh
index edb499375..79666cfb2 100755
--- a/scripts/push-manifest.sh
+++ b/scripts/push-manifest.sh
@@ -26,26 +26,34 @@ case $(uname -s) in
     Darwin)
         # Prior to 2018-03-27 D4M used a .bin suffix on the keychain utility binary name. Support the old name for a while
         if [ -f /Applications/Docker.app/Contents/Resources/bin/docker-credential-osxkeychain.bin ]; then
-            CRED=$(echo "https://index.docker.io/v1/" | /Applications/Docker.app/Contents/Resources/bin/docker-credential-osxkeychain.bin get)
+            CREDHELPER="/Applications/Docker.app/Contents/Resources/bin/docker-credential-osxkeychain.bin"
         else
-            CRED=$(echo "https://index.docker.io/v1/" | /Applications/Docker.app/Contents/Resources/bin/docker-credential-osxkeychain get)
+            CREDHELPER="/Applications/Docker.app/Contents/Resources/bin/docker-credential-osxkeychain"
         fi
-        USER=$(echo "$CRED" | jq -r '.Username')
-        PASS=$(echo "$CRED" | jq -r '.Secret')
-        MT_ARGS="--username $USER --password $PASS"
         ;;
     Linux)
-        CRED=$(cat ~/.docker/config.json | jq -r '.auths."https://index.docker.io/v1/".auth' | base64 -d -)
-        USER=$(echo $CRED | cut -d ':' -f 1)
-        PASS=$(echo $CRED | cut -d ':' -f 2-)
-        # manifest-tool can use docker credentials directly
-        MT_ARGS=
+        CREDSTORE=$(cat ~/.docker/config.json | jq -r '.credsStore // empty')
+        if [ -n "$CREDSTORE" ] ; then
+            CREDHELPER="docker-credential-$CREDSTORE"
+        else
+            CRED=$(cat ~/.docker/config.json | jq -r '.auths."https://index.docker.io/v1/".auth' | base64 -d -)
+            USER=$(echo $CRED | cut -d ':' -f 1)
+            PASS=$(echo $CRED | cut -d ':' -f 2-)
+            # manifest-tool can use docker credentials directly
+            MT_ARGS=
+        fi
         ;;
     *)
         echo "Unsupported platform"
         exit 1
         ;;
 esac
+if [ -n "$CREDHELPER" ] ; then
+    CRED=$(echo "https://index.docker.io/v1/" | "$CREDHELPER" get)
+    USER=$(echo "$CRED" | jq -r '.Username')
+    PASS=$(echo "$CRED" | jq -r '.Secret')
+    MT_ARGS="--username $USER --password $PASS"
+fi
 
 # Push manifest list
 OUT=$(manifest-tool $MT_ARGS push from-args \
diff --git a/src/cmd/linuxkit/pkglib/manifest_push_script.go b/src/cmd/linuxkit/pkglib/manifest_push_script.go
index 422309b7a..7befcfeea 100644
--- a/src/cmd/linuxkit/pkglib/manifest_push_script.go
+++ b/src/cmd/linuxkit/pkglib/manifest_push_script.go
@@ -29,26 +29,34 @@ case $(uname -s) in
     Darwin)
         # Prior to 2018-03-27 D4M used a .bin suffix on the keychain utility binary name. Support the old name for a while
         if [ -f /Applications/Docker.app/Contents/Resources/bin/docker-credential-osxkeychain.bin ]; then
-            CRED=$(echo "https://index.docker.io/v1/" | /Applications/Docker.app/Contents/Resources/bin/docker-credential-osxkeychain.bin get)
+            CREDHELPER="/Applications/Docker.app/Contents/Resources/bin/docker-credential-osxkeychain.bin"
         else
-            CRED=$(echo "https://index.docker.io/v1/" | /Applications/Docker.app/Contents/Resources/bin/docker-credential-osxkeychain get)
+            CREDHELPER="/Applications/Docker.app/Contents/Resources/bin/docker-credential-osxkeychain"
         fi
-        USER=$(echo "$CRED" | jq -r '.Username')
-        PASS=$(echo "$CRED" | jq -r '.Secret')
-        MT_ARGS="--username $USER --password $PASS"
         ;;
     Linux)
-        CRED=$(cat ~/.docker/config.json | jq -r '.auths."https://index.docker.io/v1/".auth' | base64 -d -)
-        USER=$(echo $CRED | cut -d ':' -f 1)
-        PASS=$(echo $CRED | cut -d ':' -f 2-)
-        # manifest-tool can use docker credentials directly
-        MT_ARGS=
+        CREDSTORE=$(cat ~/.docker/config.json | jq -r '.credsStore // empty')
+        if [ -n "$CREDSTORE" ] ; then
+            CREDHELPER="docker-credential-$CREDSTORE"
+        else
+            CRED=$(cat ~/.docker/config.json | jq -r '.auths."https://index.docker.io/v1/".auth' | base64 -d -)
+            USER=$(echo $CRED | cut -d ':' -f 1)
+            PASS=$(echo $CRED | cut -d ':' -f 2-)
+            # manifest-tool can use docker credentials directly
+            MT_ARGS=
+        fi
         ;;
     *)
         echo "Unsupported platform"
         exit 1
         ;;
 esac
+if [ -n "$CREDHELPER" ] ; then
+    CRED=$(echo "https://index.docker.io/v1/" | "$CREDHELPER" get)
+    USER=$(echo "$CRED" | jq -r '.Username')
+    PASS=$(echo "$CRED" | jq -r '.Secret')
+    MT_ARGS="--username $USER --password $PASS"
+fi
 
 # Push manifest list
 OUT=$(manifest-tool $MT_ARGS push from-args \
diff --git a/tools/alpine/push-manifest.sh b/tools/alpine/push-manifest.sh
index 08294ad48..0a23631cb 100755
--- a/tools/alpine/push-manifest.sh
+++ b/tools/alpine/push-manifest.sh
@@ -48,26 +48,34 @@ case $(uname -s) in
     Darwin)
         # Prior to 2018-03-27 D4M used a .bin suffix on the keychain utility binary name. Support the old name for a while
         if [ -f /Applications/Docker.app/Contents/Resources/bin/docker-credential-osxkeychain.bin ]; then
-            CRED=$(echo "https://index.docker.io/v1/" | /Applications/Docker.app/Contents/Resources/bin/docker-credential-osxkeychain.bin get)
+            CREDHELPER="/Applications/Docker.app/Contents/Resources/bin/docker-credential-osxkeychain.bin"
         else
-            CRED=$(echo "https://index.docker.io/v1/" | /Applications/Docker.app/Contents/Resources/bin/docker-credential-osxkeychain get)
-        fi    
-        USER=$(echo "$CRED" | jq -r '.Username')
-        PASS=$(echo "$CRED" | jq -r '.Secret')
-        MT_ARGS="--username $USER --password $PASS"
+            CREDHELPER="/Applications/Docker.app/Contents/Resources/bin/docker-credential-osxkeychain"
+        fi
         ;;
     Linux)
-        CRED=$(cat ~/.docker/config.json | jq -r '.auths."https://index.docker.io/v1/".auth' | base64 -d -)
-        USER=$(echo $CRED | cut -d ':' -f 1)
-        PASS=$(echo $CRED | cut -d ':' -f 2-)
-        # manifest-tool can use docker credentials directly
-        MT_ARGS=
+        CREDSTORE=$(cat ~/.docker/config.json | jq -r '.credsStore // empty')
+        if [ -n "$CREDSTORE" ] ; then
+            CREDHELPER="docker-credential-$CREDSTORE"
+        else
+            CRED=$(cat ~/.docker/config.json | jq -r '.auths."https://index.docker.io/v1/".auth' | base64 -d -)
+            USER=$(echo $CRED | cut -d ':' -f 1)
+            PASS=$(echo $CRED | cut -d ':' -f 2-)
+            # manifest-tool can use docker credentials directly
+            MT_ARGS=
+        fi
         ;;
     *)
         echo "Unsupported platform"
         exit 1
         ;;
 esac
+if [ -n "$CREDHELPER" ] ; then
+    CRED=$(echo "https://index.docker.io/v1/" | "$CREDHELPER" get)
+    USER=$(echo "$CRED" | jq -r '.Username')
+    PASS=$(echo "$CRED" | jq -r '.Secret')
+    MT_ARGS="--username $USER --password $PASS"
+fi
 
 # Push manifest list
 OUT=$(manifest-tool $MT_ARGS push from-spec --ignore-missing "$YAML")