OctopusDeploy · matt-richardson · Aug 28, 2025 · Aug 28, 2025 · Aug 29, 2025 · Sep 1, 2025
diff --git a/build/Build.PackageCalamariProjects.cs b/build/Build.PackageCalamariProjects.cs
@@ -92,6 +92,39 @@ public partial class Build
 
                            await Task.WhenAll(ridTasks);
 
+                           // Publish the standalone docker-credential-octopus (a single self-contained,
+                           // trimmed binary) and drop it straight into Calamari's folder. Its name is unique,
+                           // so it doesn't collide with any Calamari file; the downloader adds the Calamari
+                           // folder to PATH so Docker can invoke it, and it gets signed with Calamari's binaries.
+                           var calamariProject = Solution.AllProjects.FirstOrDefault(p => p.Name == "Calamari")
+                                                 ?? throw new InvalidOperationException("Could not find the 'Calamari' project.");
+                           var helperProject = Solution.AllProjects.FirstOrDefault(p => p.Name == "Calamari.DockerCredentialHelper")
+                                               ?? throw new InvalidOperationException("Could not find the 'Calamari.DockerCredentialHelper' project.");
+                           foreach (var rid in GetRuntimeIdentifiers(calamariProject))
+                           {
+                               var stagingDirectory = KnownPaths.PublishDirectory / "Calamari.DockerCredentialHelper" / rid;
+                               Log.Information("Publishing docker-credential-octopus for {Rid}", rid);
+                               // Trimming / single-file / invariant-globalization are applied here (not in the
+                               // csproj) so they don't leak into how Calamari.Tests consumes the project reference.
+                               DotNetPublish(s => s
+                                                  .SetConfiguration(Configuration)
+                                                  .SetProject(helperProject)
+                                                  .SetFramework(Frameworks.Net80)
+                                                  .SetRuntime(rid)
+                                                  .SetVersion(NugetVersion.Value)
+                                                  .SetInformationalVersion(OctoVersionInfo.Value?.InformationalVersion)
+                                                  .EnableSelfContained()
+                                                  .EnablePublishSingleFile()
+                                                  .EnablePublishTrimmed()
+                                                  .SetOutput(stagingDirectory));
+
+                               var calamariRidDirectory = (KnownPaths.PublishDirectory / "Calamari" / rid).ToString();
+                               foreach (var helperFile in Directory.GetFiles(stagingDirectory.ToString(), "docker-credential-octopus*"))
+                                   File.Copy(helperFile, Path.Combine(calamariRidDirectory, Path.GetFileName(helperFile)), overwrite: true);
+
+                               stagingDirectory.DeleteDirectory();
+                           }
+
                            // Sign and compress tasks
                            Log.Information("Signing published binaries...");
                            var signTasks = outputPaths

diff --git a/build/Signing.cs b/build/Signing.cs
@@ -35,7 +35,9 @@ public static void SignAndTimestampBinaries(
                                                                         "Calamari*.exe",
                                                                         "Calamari*.dll",
                                                                         "Octo*.exe",
-                                                                        "Octo*.dll")
+                                                                        "Octo*.dll",
+                                                                        "docker-credential-octopus*.exe",
+                                                                        "docker-credential-octopus*.dll")
                                                   .Where(f => !HasAuthenticodeSignature(f))
                                                   .ToArray();
 

diff --git a/source/Calamari.Common/FeatureToggles/OctopusFeatureToggle.cs b/source/Calamari.Common/FeatureToggles/OctopusFeatureToggle.cs
@@ -9,11 +9,13 @@ public static class KnownSlugs
             public const string ArgoCDHelmReplacePathFromContainerReferenceFeatureToggle = "argo-cd-helm-replace-path-from-container-reference";
             public const string KustomizePatchImageUpdatesFeatureToggle = "kustomize-patch-image-updates";
             public const string ArgoRolloutsSupportFeatureToggle = "argo-rollouts-support";
+            public const string UseDockerCredentialHelper = "calamari-use-docker-credential-helper";
         };
 
         public static readonly OctopusFeatureToggle ArgoCDHelmReplacePathFromContainerReferenceFeatureToggle = new(KnownSlugs.ArgoCDHelmReplacePathFromContainerReferenceFeatureToggle);
         public static readonly OctopusFeatureToggle KustomizePatchImageUpdatesFeatureToggle = new(KnownSlugs.KustomizePatchImageUpdatesFeatureToggle);
         public static readonly OctopusFeatureToggle ArgoRolloutsSupportFeatureToggle = new(KnownSlugs.ArgoRolloutsSupportFeatureToggle);
+        public static readonly OctopusFeatureToggle UseDockerCredentialHelperFeatureToggle = new(KnownSlugs.UseDockerCredentialHelper);
 
         public class OctopusFeatureToggle
         {

diff --git a/source/Calamari.Common/Features/Processes/CommandLineRunner.cs b/source/Calamari.Common/Features/Processes/CommandLineRunner.cs
@@ -13,16 +13,26 @@ public class CommandLineRunner : ICommandLineRunner
     {
         readonly ILog log;
         readonly IVariables variables;
+        readonly ICommandInvocationOutputSink? additionalInvocationOutputSink;
 
         public CommandLineRunner(ILog log, IVariables variables)
+            : this(log, variables, null)
+        {
+        }
+
+        public CommandLineRunner(ILog log, IVariables variables, ICommandInvocationOutputSink? additionalInvocationOutputSink = null)
         {
             this.log = log;
             this.variables = variables;
+            this.additionalInvocationOutputSink = additionalInvocationOutputSink;
         }
 
         public CommandResult Execute(CommandLineInvocation invocation)
         {
-            var commandOutput = new SplitCommandInvocationOutputSink(GetCommandOutputs(invocation));
+            var outputSinks = GetCommandOutputs(invocation);
+            if (additionalInvocationOutputSink != null)
+                outputSinks.Add(additionalInvocationOutputSink);
+            var commandOutput = new SplitCommandInvocationOutputSink(outputSinks);
 
             try
             {
@@ -112,4 +122,4 @@ public static string ConstructWin32ExceptionMessage(string executable)
                 $"Unable to execute {executable}, please ensure that {executable} is installed and is in the PATH.{Environment.NewLine}";
         }
     }
-}
+}
diff --git a/source/Calamari.Common/Features/Processes/InMemoryCommandOutputSink.cs b/source/Calamari.Common/Features/Processes/InMemoryCommandOutputSink.cs
@@ -0,0 +1,24 @@
+using System;
+using System.Text;
+using Calamari.Common.Plumbing.Commands;
+
+namespace Calamari.Common.Features.Processes
+{
+    public class InMemoryCommandOutputSink : ICommandInvocationOutputSink
+    {
+        readonly StringBuilder stdOut = new StringBuilder();
+        readonly StringBuilder stdErr = new StringBuilder();
+        public string StdOut => stdOut.ToString();
+        public string StdErr => stdErr.ToString();
+
+        public void WriteInfo(string line)
+        {
+            stdOut.AppendLine(line);
+        }
+
+        public void WriteError(string line)
+        {
+            stdErr.AppendLine(line);
+        }
+    }
+}
diff --git a/source/Calamari.DockerCredentialHelper/AesEncryption.cs b/source/Calamari.DockerCredentialHelper/AesEncryption.cs
@@ -0,0 +1,80 @@
+using System;
+using System.IO;
+using System.Security.Cryptography;
+using System.Text;
+
+namespace Calamari.DockerCredentialHelper
+{
+    // Self-contained AES used only by docker-credential-octopus to protect the short-lived credential
+    // files it writes during a package acquisition. The helper both writes (on `docker login`) and
+    // reads (on `docker pull`) these files, so this does not need to interoperate with Calamari's AesEncryption
+    public class AesEncryption
+    {
+        const int KeySizeBits = 256;
+        const int BlockSizeBits = 128;
+        const int PasswordSaltIterations = 1000;
+        static readonly byte[] PasswordPaddingSalt = Encoding.UTF8.GetBytes("Octopuss");
+        static readonly byte[] IvPrefix = Encoding.UTF8.GetBytes("IV__");
+
+        readonly byte[] encryptionKey;
+
+        AesEncryption(string password)
+        {
+            encryptionKey = Rfc2898DeriveBytes.Pbkdf2(password, PasswordPaddingSalt, PasswordSaltIterations, HashAlgorithmName.SHA1, KeySizeBits / 8);
+        }
+
+        public static AesEncryption ForScripts(string password) => new AesEncryption(password);
+
+        public byte[] Encrypt(string plaintext)
+        {
+            var plainTextBytes = Encoding.UTF8.GetBytes(plaintext);
+            using var algorithm = CreateAlgorithm();
+            using var encryptor = algorithm.CreateEncryptor();
+            using var stream = new MemoryStream();
+
+            // The IV is random per-encrypt and prepended (after a marker) so Decrypt can recover it.
+            stream.Write(IvPrefix, 0, IvPrefix.Length);
+            stream.Write(algorithm.IV, 0, algorithm.IV.Length);
+            using (var cryptoStream = new CryptoStream(stream, encryptor, CryptoStreamMode.Write))
+                cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length);
+
+            return stream.ToArray();
+        }
+
+        public string Decrypt(byte[] encrypted)
+        {
+            var aesBytes = ExtractIV(encrypted, out var iv);
+            using var algorithm = CreateAlgorithm();
+            algorithm.IV = iv;
+            using var decryptor = algorithm.CreateDecryptor();
+            using var memoryStream = new MemoryStream(aesBytes);
+            using var cryptoStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read);
+            using var reader = new StreamReader(cryptoStream, Encoding.UTF8);
+            return reader.ReadToEnd();
+        }
+
+        Aes CreateAlgorithm()
+        {
+            var algorithm = Aes.Create();
+            algorithm.Mode = CipherMode.CBC;
+            algorithm.Padding = PaddingMode.PKCS7;
+            algorithm.KeySize = KeySizeBits;
+            algorithm.BlockSize = BlockSizeBits;
+            algorithm.Key = encryptionKey;
+            return algorithm;
+        }
+
+        static byte[] ExtractIV(byte[] encrypted, out byte[] iv)
+        {
+            var ivLength = BlockSizeBits / 8;
+            iv = new byte[ivLength];
+            Buffer.BlockCopy(encrypted, IvPrefix.Length, iv, 0, ivLength);
+
+            var ivDataLength = IvPrefix.Length + ivLength;
+            var aesDataLength = encrypted.Length - ivDataLength;
+            var aesData = new byte[aesDataLength];
+            Buffer.BlockCopy(encrypted, ivDataLength, aesData, 0, aesDataLength);
+            return aesData;
+        }
+    }
+}
diff --git a/source/Calamari.DockerCredentialHelper/Calamari.DockerCredentialHelper.csproj b/source/Calamari.DockerCredentialHelper/Calamari.DockerCredentialHelper.csproj
@@ -0,0 +1,23 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <OutputType>Exe</OutputType>
+        <AssemblyName>docker-credential-octopus</AssemblyName>
+        <RootNamespace>Calamari.DockerCredentialHelper</RootNamespace>
+        <TargetFramework>net8.0</TargetFramework>
+        <RuntimeIdentifiers>win-x64;linux-x64;osx-x64;linux-arm;linux-arm64</RuntimeIdentifiers>
+        <Nullable>enable</Nullable>
+        <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+        <IsPackable>false</IsPackable>
+        <!-- NOTE: trimming/single-file are applied at publish time by build/Build.PackageCalamariProjects.cs,
+             NOT here. Setting them as project properties leaks into how Calamari.Tests consumes this
+             project reference and produces a non-runnable apphost in the test output. -->
+    </PropertyGroup>
+
+    <ItemGroup>
+        <!-- Match the System.Text.Json version the rest of the solution uses, so the assemblies in a
+             shared output directory (e.g. Calamari.Tests) agree with this project's deps.json. -->
+        <PackageReference Include="System.Text.Json" Version="9.0.16" />
+    </ItemGroup>
+
+</Project>
diff --git a/source/Calamari.DockerCredentialHelper/CredentialModels.cs b/source/Calamari.DockerCredentialHelper/CredentialModels.cs
@@ -0,0 +1,33 @@
+using System.Text.Json.Serialization;
+
+namespace Calamari.DockerCredentialHelper
+{
+    public record DockerCredential
+    {
+        public string Username { get; init; } = string.Empty;
+        public string Secret { get; init; } = string.Empty;
+    }
+
+    public record StoreRequest
+    {
+        public string ServerURL { get; init; } = string.Empty;
+        public string Username { get; init; } = string.Empty;
+        public string Secret { get; init; } = string.Empty;
+    }
+
+    public record GetResponse
+    {
+        public string ServerURL { get; init; } = string.Empty;
+        public string Username { get; init; } = string.Empty;
+        public string Secret { get; init; } = string.Empty;
+    }
+
+    // Source-generated serialization keeps System.Text.Json trim-safe (no reflection), so the
+    // published binary can be trimmed without losing (de)serialization of these types.
+    [JsonSerializable(typeof(DockerCredential))]
+    [JsonSerializable(typeof(StoreRequest))]
+    [JsonSerializable(typeof(GetResponse))]
+    internal partial class CredentialJsonContext : JsonSerializerContext
+    {
+    }
+}
diff --git a/source/Calamari.DockerCredentialHelper/DockerCredentialProtocol.cs b/source/Calamari.DockerCredentialHelper/DockerCredentialProtocol.cs
@@ -0,0 +1,96 @@
+using System;
+using System.IO;
+using System.Text.Json;
+
+namespace Calamari.DockerCredentialHelper
+{
+    public class DockerCredentialProtocol
+    {
+        readonly DockerCredentialStore store;
+
+        public DockerCredentialProtocol(DockerCredentialStore store)
+        {
+            this.store = store;
+        }
+
+        public int Run(string operation, TextReader input, TextWriter output, TextWriter error, string encryptionPassword, string dockerConfigPath)
+        {
+            switch (operation.ToLowerInvariant())
+            {
+                case "store":
+                    return Store(input, error, encryptionPassword, dockerConfigPath);
+                case "get":
+                    return Get(input, output, error, encryptionPassword, dockerConfigPath);
+                case "erase":
+                    return Erase(input, dockerConfigPath);
+                case "list":
+                    return List(output);
+                default:
+                    error.WriteLine($"Invalid operation: {operation}. Valid operations are: store, get, erase, list");
+                    return 1;
+            }
+        }
+
+        // Docker's 'list' expects a JSON map of ServerURL -> Username. We don't enumerate stored
+        // credentials (they're short-lived, per-acquisition), so we report none.
+        int List(TextWriter output)
+        {
+            output.WriteLine("{}");
+            return 0;
+        }
+
+        // Docker sends a JSON object on stdin for 'store'.
+        int Store(TextReader input, TextWriter error, string encryptionPassword, string dockerConfigPath)
+        {
+            StoreRequest? request;
+            try
+            {
+                request = JsonSerializer.Deserialize(input.ReadToEnd(), CredentialJsonContext.Default.StoreRequest);
+            }
+            catch (Exception)
+            {
+                error.WriteLine("Invalid store request");
+                return 1;
+            }
+
+            if (request == null || string.IsNullOrEmpty(request.ServerURL))
+            {
+                error.WriteLine("Invalid store request");
+                return 1;
+            }
+
+            store.Store(request.ServerURL, request.Username, request.Secret, encryptionPassword, dockerConfigPath);
+            return 0;
+        }
+
+        // Docker sends a bare server URL line on stdin for 'get' and 'erase'.
+        int Get(TextReader input, TextWriter output, TextWriter error, string encryptionPassword, string dockerConfigPath)
+        {
+            var serverUrl = input.ReadLine()?.Trim();
+            if (string.IsNullOrEmpty(serverUrl))
+            {
+                error.WriteLine("No server URL provided");
+                return 1;
+            }
+
+            var credential = store.Get(serverUrl, encryptionPassword, dockerConfigPath);
+            if (credential == null)
+            {
+                error.WriteLine("credentials not found in native keychain");
+                return 1;
+            }
+
+            var response = new GetResponse { ServerURL = serverUrl, Username = credential.Username, Secret = credential.Secret };
+            output.WriteLine(JsonSerializer.Serialize(response, CredentialJsonContext.Default.GetResponse));
+            return 0;
+        }
+
+        int Erase(TextReader input, string dockerConfigPath)
+        {
+            var serverUrl = input.ReadLine()?.Trim();
+            if (!string.IsNullOrEmpty(serverUrl))
+                store.Erase(serverUrl, dockerConfigPath);
+            return 0;
+        }
+    }
+}