Docker login using pass credential store

More secure method for working with DockerHub on Linux.

First, ensure we’re starting from an empty password store:

rm -fr ~/.password-store

Configure GnuPG

Ensure that GPG can prompt in the terminal. Note that koopa sets this automatically.

GPG_TTY="$(tty)"
export GPG_TTY

Check your GnuPG configuration.

gpg -K

Ensure the primary key is trusted.

gpg --edit-key "EMAIL"

Tell the GPG agent you trust the key.

gpg> trust
# Select 5: '5 = I trust ultimately'
gpg> quit

Configure pass

Now you’re ready to intitialize pass.

pass init "EMAIL"

The pass library is saved in ~/.password-store.

Configure docker-credential-pass

Now we’re ready to initialize docker credential helpers, using pass in this case. Note that osxkeychain is also supported for macOS.

pass insert docker-credential-helpers/docker-pass-initialized-check

Enter pass is initialized.

pass show docker-credential-helpers/docker-pass-initialized-check

PGP password should prompt here unless it’s already active.

docker-credential-pass list

You should see:

{}

Configure Docker

Ensure your configuration is clean.

rm -fr ~/.docker

You need to specify the credentials store in ~/.docker/config.json to tell the docker engine to use it. The value of the config property should be the suffix of the program to use (i.e. everything after docker-credential-). Here we’re using pass for Linux.

{
    "credsStore": "pass"
}

Log out of Docker.

docker logout

Now log in. You’ll be prompted for a password, but this should only happen once.

docker login --username="USERNAME" docker.io

If you hit this error with pushes, it is because your GPG key is locked or the cred store isn’t configured correctly.

# denied: requested access to the resource is denied

References