Fixing Docker Credential Store Issues on Arch Linux

Docker credential store issues on Arch Linux

A comprehensive guide to troubleshooting and fixing Docker credential store issues on Arch Linux using GPG and pass.

12th July 2024

linuxdockergpgguide

Fixing Docker Credential Store Issues on Arch Linux

Introduction

If you're using Docker on Arch Linux and encounter the error gpg: public key decryption failed: No such file or directory, you're not alone. This issue typically arises when Docker tries to access credentials stored with GPG encryption but can't decrypt them because of a missing or misconfigured passphrase. This blog post will guide you through troubleshooting and fixing this issue.

Understanding the Issue

When Docker uses the pass credential store, it relies on GPG for encrypting and decrypting your credentials. If your GPG key has a passphrase, Docker might fail to access the credentials without manual passphrase entry, resulting in errors during operations.

Step-by-Step Guide to Fixing the Issue

Step 1: Verify pass and GPG Setup

First, ensure pass and GPG are installed and correctly set up on your system.

sudo pacman -S pass gnupg

Initialize pass with your GPG key:

gpg --list-keys
pass init <YOUR_GPG_KEY_ID>

Step 2: Configure gpg-agent for Automatic Passphrase Entry

To allow Docker to access GPG-protected credentials without manual passphrase entry, configure gpg-agent to cache the passphrase.

  1. Edit gpg-agent Configuration:
    Create or edit the ~/.gnupg/gpg-agent.conf file with the following content:
    pinentry-program /usr/bin/pinentry-gtk-2
    default-cache-ttl 600
    max-cache-ttl 7200
    
    • pinentry-program: This specifies the pinentry program used for passphrase entry. You can use pinentry-gtk-2, pinentry-qt, or pinentry-curses based on your preference.
    • default-cache-ttl: Time in seconds a passphrase is cached.
    • max-cache-ttl: Maximum time in seconds a passphrase is cached.
  2. Reload gpg-agent Configuration:
    gpg-connect-agent reloadagent /bye
    
  3. Set GPG Environment Variable:
    Ensure the following line is present in your shell configuration file (~/.bashrc, ~/.zshrc, etc.):
    export GPG_TTY=$(tty)
    

    Reload your shell configuration:
    source ~/.bashrc  # or ~/.zshrc
    

Step 3: Verify Docker Credential Helper

Ensure that Docker is correctly configured to use the pass credential store.

  1. Check Docker Configuration:
    Open the Docker configuration file (~/.docker/config.json) and ensure it contains:
    json
    {
        "auths": {
            "https://index.docker.io/v1/": {}
        },
        "credsStore": "pass",
        "currentContext": "desktop-linux",
        "plugins": {
            "-x-cli-hints": {
                "enabled": "true"
            },
            "debug": {
                "hooks": "exec"
            },
            "scout": {
                "hooks": "pull,buildx build"
            }
        },
        "features": {
            "hooks": "true"
        }
    }
    
  2. Reinitialize Docker Credential Store if Necessary:
    docker-credential-pass init
    
  3. Log in to Docker Again:
    docker login
    

Step 4: Test and Troubleshoot

  1. Manually Cache Your GPG Passphrase:
    Sign a file to manually cache your GPG passphrase:
    gpg --sign /tmp/testfile
    

    Enter your passphrase when prompted. This will cache the passphrase according to your gpg-agent settings.
  2. Check for Specific Errors:
    Ensure your GPG key is valid and not expired:
    gpg --edit-key <YOUR_GPG_KEY_ID>
    

Optional: Remove Passphrase from GPG Key (Less Secure)

If you prefer not to use a passphrase for your GPG key (this is less secure), you can remove the passphrase:

  1. Remove Passphrase from GPG Key:
    gpg --edit-key <YOUR_GPG_KEY_ID>
    

    In the GPG prompt:
    gpg> passwd
    

    Follow the prompts to remove the passphrase.

Conclusion

By configuring gpg-agent to cache your passphrase and ensuring Docker is properly set up, you can resolve the credential decryption issues on Arch Linux. This setup allows Docker to access GPG-encrypted credentials automatically, streamlining your workflow and eliminating manual passphrase entry.

If you continue to encounter issues, consider switching to a different credential store like secretservice for GNOME Keyring or kwallet for KDE, depending on your desktop environment.