From f89e827657a37ae5ecc63a4d4be77012270eb991 Mon Sep 17 00:00:00 2001
From: vatsalgargg <vatsalg80@gmail.com>
Date: Tue, 24 Mar 2026 18:55:25 +0530
Subject: [PATCH] fix: surface HTTP fallback errors when HTTPS login fails

Signed-off-by: vatsalgargg <vatsalg80@gmail.com>
---
 cli/command/registry/login.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/cli/command/registry/login.go b/cli/command/registry/login.go
index e7f590976580..a210b991a258 100644
--- a/cli/command/registry/login.go
+++ b/cli/command/registry/login.go
@@ -169,8 +169,15 @@ func runLogin(ctx context.Context, dockerCLI command.Cli, opts loginOptions) err
 	// if we failed to authenticate with stored credentials (or didn't have stored credentials),
 	// prompt the user for new credentials
 	if err != nil || authConfig.Username == "" || authConfig.Password == "" {
+		msg, err = loginUser(ctx, dockerCLI, opts, authConfig.Username, authConfig.ServerAddress)
 		msg, err = loginUser(ctx, dockerCLI, opts, authConfig.Username, authConfig.ServerAddress)
 		if err != nil {
+			// --- PATCH START: Expose HTTPS to HTTP fallback failures ---
+			if strings.HasPrefix(opts.serverAddress, "https://") && strings.Contains(err.Error(), "http://") {
+				return fmt.Errorf("login failed: you requested HTTPS, but the daemon fell back to HTTP (insecure registry) and was rejected.\nDaemon error: %w", err)
+			}
+			// --- PATCH END ---
+
 			return err
 		}
 	}