How to install `docker-credential-pass`

They are described here:

• docker login | Docker Docs
• GitHub - docker/docker-credential-helpers: Programs to keep Docker login credentials safe by storing in platform keystores

The file available in the release section of the github page is statically linked so is runnable w/o any issues on nixos.

But having a file in the middle of nowhere isn’t the best way to install stuff on nixos.

I understand this is an old post, but I figured I’ll reply in case someone else comes by as I did, wondering about how to install docker-credential-pass helper for pass to store the authentication credentials for Docker Hub in an encrypted format in a password-store after login instead of a file.

Overview

1. Packages
   1.1. Rebuild & switch…
2. Generate GPG keys, import or fetch the ID for an existing one
   An imported key needs to be trusted
3. Initiate password-store in pass
4. Insert password-store init check
5. Set password to: pass is initialized
6. Test so it worked
7. Should display pass is initialized if successful
8. Login: docker login -u "$USER"
9. Optional Check the authentication credentials after successful login with pass

In detail

1. Packages

/etc/nixos/configuration.nix

  # Add user to the docker group
  users.users.<myuser>.extraGroups = [ "docker" ];
  environment.systemPackages = with pkgs; [
    gnupg                             # For cryptographic keys
    docker docker-credential-helpers  # Docker & docker-credential-pass
    pass                              # To use with docker-credential-pass
    # nvidia-docker                   # Nvidia runtime with GPU support
  ];
  virtualisation = {
    docker = {
        enable = true;                # Enable Docker
        # enableNvidia = true;        # Enable Nvidia container runtime
    };
  };

1.1. Rebuild & switch…

2. Generate GPG keys, import or fetch the ID for an existing one

gpg --generate-key       # Generate a new key
gpg --list-keys          # List existing keys, also shows the ID, get the last 16 characters of the ID for the short-form
gpg --import "$KEY_FILE" # Import key(s)

Note: An imported key needs to be trusted

# Using GPG
gpg --edit-key "$KEY_ID"
#    gpg> trust

# Using GPG2
gpg2 --edit-key "$KEY_ID"
#    gpg2> trust

Set the trust level accordingly, the trust levels will be displayed for you within gpg after executing trust when editing the key, alternatively import with flag --trust-model always.

3. Initiate password-store in pass

Use the ID of the key generated/listed or imported in the previous step.

pass init "$KEY_ID"

4. Insert password-store init check

pass insert docker-credential-helpers/docker-pass-initialized-check

5. Set password to: pass is initialized

6. Test so it worked

pass show docker-credential-helpers/docker-pass-initialized-check

7. Should display pass is initialized if successful

You can now login to the Docker Hub using your username and access token and your login credentials will be stored encrypted in pass’s password-store instead of a file.

8. Login: docker login -u "$USER"

9. Optional Check the authentication credentials after successful login with pass

Ex.

pass
# Output ↓
Password Store
└── docker-credential-helpers
    ├── $TOKEN                # Redacted
    │   └── $USER             # Redacted
    └── docker-pass-initialized-check

Hopefully it will be helpful to someone else that comes by