docker-credential-helpers icon indicating copy to clipboard operation
docker-credential-helpers copied to clipboard

Published 20 hours ago verified publisher icon docker

docker-credential-pass does not work at all

Open TacticalCode opened this issue 6 years ago • 11 comments

I've followed the setup instructions for pass from #102 When I use docker login now:

~# docker login my.private.reg:5050
error getting credentials - err: exit status 1, out: `error fetching password during initialization: exit status 2: gpg: decryption failed: No secret key`
~# docker-credential-pass list
{"my.private.reg:5050":"[email protected]"}
~# pass show docker-credential-helpers/docker-pass-initialized-check
test123
~# docker login my.private.reg:5050
Username ([email protected]):
Password:
Error: Password Required

As you can see, first docker-credential-pass is unable to open the password store failing with gpg: decryption failed: No secret key, whereas pass show <some-entry> will prompt for the gpg key passphrase.

Even when gpg-agent(?) has cached the private key allowing to access the password store without the passphrase, docker login pre-fills my username, but I still have to enter the registry password.

I've verified my private key is present in GPG and has the same ID as ~/.password-store/.gpg-id Also, I've verified pass has stored the correct password in docker-credential-helpers/bXkucHJpdmF0ZS5yZWc6NTA1MAo\=/[email protected] and the subfolder is the registry's base64-encoded URI.

My ~/.docker/config.json:

{
	"HttpHeaders": {
			"User-Agent": "Docker-Client/18.03.1-ce (linux)"
	},
	"credsStore": "pass"
}

docker-credential-pass version: 0.6.0 GPG version: 2.2.4-1ubuntu1.1 pass version: v1.7.1 Docker version: 18.03.1-ce OS: Ubuntu 18.04 x64 server

Expected behavior I expected no password prompt and a successful login to my.private.reg:5050 (or just the gpg passphrase prompt from pass) when running docker login

Observed behavior No prompt for GPG passphrase, prompt for registry password

What's wrong with my setup?

TacticalCode avatar Jul 19 '18 06:07 TacticalCode

Weird bug, can you try out #124, and see if that fixes your problem?

eyJhb avatar Sep 23 '18 07:09 eyJhb

OK here's another essential tip if you find your pass repo constantly corrupted by incomplete docker-pass-initialized-check:

export GPG_TTY=$(tty)

... so that gpg properly prompts for key passphrase, assuming you have one.

javabrett avatar Apr 17 '19 06:04 javabrett

I'm experiencing same issue, and I have no GPG passphrase set. Wondering if OP found an solution?

daili0802 avatar May 12 '20 22:05 daili0802

OK here's another essential tip if you find your pass repo constantly corrupted by incomplete docker-pass-initialized-check:

export GPG_TTY=$(tty)

... so that gpg properly prompts for key passphrase, assuming you have one.

This really worked for me after banging my head to the wall for the whole day.

albertmundu avatar May 28 '20 20:05 albertmundu

OK here's another essential tip if you find your pass repo constantly corrupted by incomplete docker-pass-initialized-check:

export GPG_TTY=$(tty)

... so that gpg properly prompts for key passphrase, assuming you have one.

Perfect response, thank you for swift reaction ;)

pbrilius avatar Aug 11 '20 13:08 pbrilius

Same as OP but it a docker-compose up that pull images from ghcr.io that fails rather than docker.login.

noraj avatar Mar 05 '22 17:03 noraj

OK here's another essential tip if you find your pass repo constantly corrupted by incomplete docker-pass-initialized-check:

export GPG_TTY=$(tty)

... so that gpg properly prompts for key passphrase, assuming you have one.

OK here's another essential tip if you find your pass repo constantly corrupted by incomplete docker-pass-initialized-check:

export GPG_TTY=$(tty)

... so that gpg properly prompts for key passphrase, assuming you have one.

Excellent solution! It worked for me too.

imjavierpalma avatar Oct 03 '22 20:10 imjavierpalma

It worked perfectly here

OK here's another essential tip if you find your pass repo constantly corrupted by incomplete docker-pass-initialized-check:

export GPG_TTY=$(tty)

... so that gpg properly prompts for key passphrase, assuming you have one.

estevaopbs avatar Jan 02 '23 22:01 estevaopbs

Same as OP but it a docker-compose up that pull images from ghcr.io that fails rather than docker.login.

@noraj did you ever figure this out? I am seeing the same thing when docker compose goes to pull the images.

jkossis avatar Jan 10 '23 19:01 jkossis

Same as OP but it a docker-compose up that pull images from ghcr.io that fails rather than docker.login.

@noraj did you ever figure this out? I am seeing the same thing when docker compose goes to pull the images.

Same issue here. The export GPG_TTY=$(tty) seems to solve the issue by presenting a prompt, but it does not seem like a good solution for me since I want to script the docker pull through ansible.

wartek69 avatar Jan 12 '23 09:01 wartek69

Considering there is no way to use docker-credential-pass (and therefore docker) if no X server is available and you do not pass this environment variable, should docker-credential-pass add this variable to the environment when executing pass? Of course only if the STDIN of docker-credential-pass is a tty.

pfirsich avatar May 02 '23 16:05 pfirsich