Add escape hatch for GODEBUG=x509negativeserial

Benehiko · vvoland · commit 0a2eaa4d0535 · 2025-08-29T16:00:16.000+02:00
Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com> (cherry picked from commit 7d7a7aa) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
diff --git a/cli/command/cli.go b/cli/command/cli.go
@@ -282,6 +282,8 @@ func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions, ops ...CLIOption)
 	}
 	filterResourceAttributesEnvvar()
 
+	cli.setAllowNegativex509()
+
 	return nil
 }
 
@@ -475,6 +477,43 @@ func (cli *DockerCli) getDockerEndPoint() (ep docker.Endpoint, err error) {
 	return resolveDockerEndpoint(cli.contextStore, cn)
 }
 
+// setAllowNegativex509 is an escape hatch that sets the GODEBUG=x509negativeserial
+// environment variable for this process and sub-processes (such as CLI plugins)
+func (cli *DockerCli) setAllowNegativex509() {
+	cn := cli.CurrentContext()
+	meta, err := cli.ContextStore().GetMetadata(cn)
+	if err != nil {
+		return
+	}
+
+	fieldName := "allowx509negativeserialdonotuse"
+
+	var config any
+	var ok bool
+	switch m := meta.Metadata.(type) {
+	case DockerContext:
+		config, ok = m.AdditionalFields[fieldName]
+		if !ok {
+			return
+		}
+	case map[string]any:
+		config, ok = m[fieldName]
+		if !ok {
+			return
+		}
+	default:
+		return
+	}
+
+	v, ok := config.(string)
+	if !ok {
+		return
+	}
+	if v == "1" {
+		_ = os.Setenv("GODEBUG", "x509negativeserial=1")
+	}
+}
+
 func (cli *DockerCli) initialize() error {
 	cli.init.Do(func() {
 		cli.dockerEndpoint, cli.initErr = cli.getDockerEndPoint()
