[Feature request] Support freedesktop.org secret service API for credential management

[christianfosli]

Description

The freedesktop.org secret service API allows client applications to store secrets securely in a service running in the users login session. It can use e.g. Gnome Keyring or KDE KWallet.

Use case

Log in to Docker Desktop / Docker Hub without having to create a gpg key and configure pass.

References

See https://specifications.freedesktop.org/secret-service/latest/ch01.html

[docker-robott]

There hasn't been any activity on this issue for a long time. If the problem is still relevant, mark the issue as fresh with a /remove-lifecycle stale comment. If not, this issue will be closed in 30 days.

Prevent issues from auto-closing with a /lifecycle frozen comment.

/lifecycle stale

[christianfosli]

This is still relevant, at least to me. Docker desktop for Linux relies on pass to store credentials, which is completely fine, but I think it would be great to be able to choose another secret service :smile:

/remove-lifecycle stale

[docker-robot[bot]]

There hasn't been any activity on this issue for a long time. If the problem is still relevant, mark the issue as fresh with a /remove-lifecycle stale comment. If not, this issue will be closed in 30 days.

Prevent issues from auto-closing with a /lifecycle frozen comment.

/lifecycle stale

[fox8091]

This is still relevant, at least to me, as I don't exactly wish to deploy a specific password manager for a program to store passwords when instead said program could just as easily use the keyring provided by gnome-keyring/kwallet (for Gnome/KDE Plasma respectively). The lack of support is especially odd given that the system keyring is used on OSX /remove-lifecycle stale

[ajtucker]

The secret service API can be used by downloading the docker-credential-secretservice binary from https://github.com/docker/docker-credential-helpers/releases (e.g. put in ~/.local/bin) and setting "credsStore": "secretservice" in ~/.docker/config.json.

[Davidnet]

Hi @ajtucker so that means that we can change that and avoid using gpg and pass? Is there anything in the documentation we can follow?

[swantzter]

@ajtucker that workaround doesn't seem to work for docker desktop itself, I at least still get asked to initialize pass

[ajtucker]

@ajtucker that workaround doesn't seem to work for docker desktop itself, I at least still get asked to initialize pass

I'm afraid I've now moved to using pass (after Authy desktop was discontinued!), so no longer have the problem myself.

@swantzter, which distribution and desktop are you using? I wonder whether ~/.local/bin/docker-credential-secretservice might not be on the path for the desktop? Or perhaps it needs to be executable (mine is).

[swantzter]

I've personally moved away from pass fairly recently :sweat_smile:

I'm on Arch+sway, I've got it in my path as /usr/bin/docker-credential-secretservice since I installed it using the package manager, I can execute it fine from my shell

[Sn0wCrack]

It looks like you also need to update the Docker Desktop settings file as well as the Docker Daemon settings file.

Editing the file ~/.docker/desktop/settings.json and changing the credentialHelper key to "docker-credential-secretservice" seems to allow sign in via secret service.

Ideally this would be something we could configure via the settings in the UI so we can select an eligible Credential Store (or just use the one form the daemon file honestly), but at the very least this works for now for those that know what they're doing.

[swantzter]

That does seem to work, thank you