Fixing Docker Credential Store Issues on Arch Linux

Introduction

If you're using Docker on Arch Linux and encounter the error gpg: public key decryption failed: No such file or directory, you're not alone. This issue typically arises when Docker tries to access credentials stored with GPG encryption but can't decrypt them because of a missing or misconfigured passphrase. This blog post will guide you through troubleshooting and fixing this issue.

Understanding the Issue

When Docker uses the pass credential store, it relies on GPG for encrypting and decrypting your credentials. If your GPG key has a passphrase, Docker might fail to access the credentials without manual passphrase entry, resulting in errors during operations.

Step-by-Step Guide to Fixing the Issue

Step 1: Verify `pass` and GPG Setup

First, ensure pass and GPG are installed and correctly set up on your system.

sudo pacman -S pass gnupg

Initialize pass with your GPG key:

gpg --list-keys
pass init <YOUR_GPG_KEY_ID>

Step 2: Configure `gpg-agent` for Automatic Passphrase Entry

To allow Docker to access GPG-protected credentials without manual passphrase entry, configure gpg-agent to cache the passphrase.

Edit gpg-agent Configuration:
Create or edit the ~/.gnupg/gpg-agent.conf file with the following content:
```
pinentry-program /usr/bin/pinentry-gtk-2
default-cache-ttl 600
max-cache-ttl 7200
```
- pinentry-program: This specifies the pinentry program used for passphrase entry. You can use pinentry-gtk-2, pinentry-qt, or pinentry-curses based on your preference.
- default-cache-ttl: Time in seconds a passphrase is cached.
- max-cache-ttl: Maximum time in seconds a passphrase is cached.
Reload gpg-agent Configuration:
```
gpg-connect-agent reloadagent /bye
```
Set GPG Environment Variable:
Ensure the following line is present in your shell configuration file (~/.bashrc, ~/.zshrc, etc.):
```
export GPG_TTY=$(tty)
```
Reload your shell configuration:
```
source ~/.bashrc  # or ~/.zshrc
```

Step 3: Verify Docker Credential Helper

Ensure that Docker is correctly configured to use the pass credential store.

Check Docker Configuration:
Open the Docker configuration file (~/.docker/config.json) and ensure it contains:

json

{
    "auths": {
        "https://index.docker.io/v1/": {}
    },
    "credsStore": "pass",
    "currentContext": "desktop-linux",
    "plugins": {
        "-x-cli-hints": {
            "enabled": "true"
        },
        "debug": {
            "hooks": "exec"
        },
        "scout": {
            "hooks": "pull,buildx build"
        }
    },
    "features": {
        "hooks": "true"
    }
}

Reinitialize Docker Credential Store if Necessary:
```
docker-credential-pass init
```
Log in to Docker Again:
```
docker login
```

Step 4: Test and Troubleshoot

Manually Cache Your GPG Passphrase:
Sign a file to manually cache your GPG passphrase:
```
gpg --sign /tmp/testfile
```
Enter your passphrase when prompted. This will cache the passphrase according to your gpg-agent settings.
Check for Specific Errors:
Ensure your GPG key is valid and not expired:
```
gpg --edit-key <YOUR_GPG_KEY_ID>
```

Optional: Remove Passphrase from GPG Key (Less Secure)

If you prefer not to use a passphrase for your GPG key (this is less secure), you can remove the passphrase:

Remove Passphrase from GPG Key:
```
gpg --edit-key <YOUR_GPG_KEY_ID>
```
In the GPG prompt:
```
gpg> passwd
```
Follow the prompts to remove the passphrase.

Conclusion

By configuring gpg-agent to cache your passphrase and ensuring Docker is properly set up, you can resolve the credential decryption issues on Arch Linux. This setup allows Docker to access GPG-encrypted credentials automatically, streamlining your workflow and eliminating manual passphrase entry.

If you continue to encounter issues, consider switching to a different credential store like secretservice for GNOME Keyring or kwallet for KDE, depending on your desktop environment.

Table of Content