The cosign login command stores incorrect creds under /root/.docker/config.json

[dpateriya]

Description

The cosign login command does not validate the credentials against the registry server and directly puts the credentials into the `/root/.docker/config.json`

$ cosign login quay.io -u username
logged in via /root/.docker/config.json
[root@vm-236-142 ~]# cat /root/.docker/config.json
{
	"auths": {
		"quay.io": {
			"auth": "dXNlcm5hbWUK"
		}
	}
}

The correct behaviour would be to ask for the password via prompt and once the creds are validated, the /root/.docker/config.json file should be updated. This leads to problems when signing the images.

Version

GitVersion: v2.4.3
GitCommit: 6a7abbf3ae7eb6949883a80c8f6007cc065d2dfb
GitTreeState: clean
BuildDate: 2025-02-19T19:34:52Z
GoVersion: go1.23.6
Compiler: gc
Platform: linux/amd64

[dpateriya]

It was marked closed accidentally