Skip to content

crane: Latest debug container gives Unauthorized in Gitlab CICD #2172

New issue
New issue
Open
Open
crane: Latest debug container gives Unauthorized in Gitlab CICD#2172
Labels
bugSomething isn't working
@bartvollebregt

Description

@bartvollebregt
bartvollebregt
opened on Nov 25, 2025

Describe the bug

We've been using the Crane docker container in Gitlab for quite some time and it has worked very well for us. Here's the Gitlab CICD yaml we've been using:

.deploy:
  stage: deploy
  when: manual
  needs: ["build"]
  only:
    - main
  except:
    - schedules
  image:
    name: gcr.io/go-containerregistry/crane:debug
    entrypoint: ['']
  script:
    - crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - crane tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA $CI_ENVIRONMENT_NAME

Since this morning we're getting Unauthorized errors in our Jobs:

Using docker image sha256:7509e02bec939bea8d499f4348b69f49c48481896e2e1d08839233f560b24d81 for gcr.io/go-containerregistry/crane:debug with digest gcr.io/go-containerregistry/crane@sha256:e505815aa3573ae223c2ddcd004c8d4f7a6608df85da429af1e0f6aff728a1f0 ...
$ crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
WARNING! Your credentials are stored unencrypted in '/root/.docker/config.json'.
Configure a credential helper to remove this warning. See
https://docs.docker.com/go/credential-store/
2025/11/25 11:57:39 logged in via /root/.docker/config.json
$ crane tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA $CI_ENVIRONMENT_NAME
Error: fetching "registry.gitlab.com/......": GET https://registry.gitlab.com/v2/..... : UNAUTHORIZED: authentication required; ....

Forcing an older version of the crane docker image seems to work fine and can be used as a workaround for now:

.deploy:
  stage: deploy
  when: manual
  needs: ["build"]
  only:
    - main
  except:
    - schedules
  image:
    name: gcr.io/go-containerregistry/crane@sha256:fbdf6d55c5ae90d9ae637b9bd9f10119496fdf18a3b5f9cd3078ae6044161c18
    entrypoint: ['']
  script:
    - crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - crane tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA $CI_ENVIRONMENT_NAME

To Reproduce

Try to retag a container using the Gitlab CICD template as described above. An UNAUTHORIZED error will occur.

Expected behavior

The retagging should succeed without any issues.

Additional context

Seems to be quite similar to this older issue: #1662

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions