feat: add support for gopass as a credential store

.github/workflows/build.yml

@@ -69,26 +69,30 @@ jobs:
         if: startsWith(matrix.os, 'macOS-')
         run: |
           brew install pass
+      -
+        name: Install gopass
+        env:
+          GOPASS_VERSION: v1.15.5
+        run: go install github.com/gopasspw/gopass@${{ env.GOPASS_VERSION }}
       -
         name: GPG conf
-        if: ${{ !startsWith(matrix.os, 'windows-') }}
         uses: actions/github-script@v7
         id: gpg
         with:
           script: |
             const fs = require('fs');
-            const gnupgfolder = `${require('os').homedir()}/.gnupg`;
+            const sep = require('path').sep;
+            const gnupgfolder = `${require('os').homedir()}${sep}.gnupg`;
             if (!fs.existsSync(gnupgfolder)){
               fs.mkdirSync(gnupgfolder);
             }
-            fs.copyFile('.github/workflows/fixtures/gpg.conf', `${gnupgfolder}/gpg.conf`, (err) => {
+            fs.copyFile('.github/workflows/fixtures/gpg.conf', `${gnupgfolder}${sep}gpg.conf`, (err) => {
               if (err) throw err;
             });
             core.setOutput('key', fs.readFileSync('.github/workflows/fixtures/7D851EB72D73BDA0.key', {encoding: 'utf8'}));
             core.setOutput('passphrase', fs.readFileSync('.github/workflows/fixtures/7D851EB72D73BDA0.pass', {encoding: 'utf8'}));
       -
         name: Import GPG key
-        if: ${{ !startsWith(matrix.os, 'windows-') }}
         uses: crazy-max/ghaction-import-gpg@v6
         with:
           gpg_private_key: ${{ steps.gpg.outputs.key }}
@@ -100,6 +104,18 @@ jobs:
         run: |
           pass init 7D851EB72D73BDA0
         shell: bash
+      -
+        name: Init gopass
+        run: |
+          gopass config mounts.path "${HOME}/.gopass-password-store" 1>/dev/null
+          gopass config core.autopush false 1>/dev/null
+          gopass config core.autosync false 1>/dev/null
+          gopass config core.exportkeys false 1>/dev/null
+          gopass config core.notifications false 1>/dev/null
+          gopass config core.color false 1>/dev/null
+          gopass config core.nopager true 1>/dev/null
+          gopass init --crypto gpgcli --storage fs 7D851EB72D73BDA0
+        shell: bash
       -
         name: Test
         run: |
@@ -108,6 +124,7 @@ jobs:
       -
         name: Upload coverage
         uses: codecov/codecov-action@v5
+        if: github.repository == 'docker/docker-credential-helpers'
         with:
           files: ${{ env.DESTDIR }}/coverage.txt
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -129,6 +146,7 @@ jobs:
       -
         name: Upload coverage
         uses: codecov/codecov-action@v5
+        if: github.repository == 'docker/docker-credential-helpers'
         with:
           files: ${{ env.DESTDIR }}//coverage.txt
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -171,7 +189,9 @@ jobs:
           if-no-files-found: error
       -
         name: GitHub Release
-        if: startsWith(github.ref, 'refs/tags/v')
+        if: |
+          startsWith(github.ref, 'refs/tags/v') &&
+          github.repository == 'docker/docker-credential-helpers'
         uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda  # v2.2.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Dockerfile

@@ -7,6 +7,7 @@ ARG XX_VERSION=1.6.1
 ARG OSXCROSS_VERSION=11.3-r7-debian
 ARG GOLANGCI_LINT_VERSION=v1.61.0
 ARG DEBIAN_FRONTEND=noninteractive
+ARG GOPASS_VERSION=v1.15.5
 
 ARG PACKAGE=github.com/docker/docker-credential-helpers
 
@@ -70,12 +71,19 @@ RUN xx-apt-get install -y binutils gcc libc6-dev libgcc-11-dev libsecret-1-dev p
 
 FROM base AS test
 ARG DEBIAN_FRONTEND
+ARG GOPASS_VERSION
 RUN xx-apt-get install -y dbus-x11 gnome-keyring gpg-agent gpgconf libsecret-1-dev pass
+RUN --mount=type=bind,target=. \
+    --mount=type=cache,target=/root/.cache \
+    --mount=type=cache,target=/go/pkg/mod \
+    GOFLAGS='' go install github.com/gopasspw/gopass@${GOPASS_VERSION}
 RUN --mount=type=bind,target=. \
     --mount=type=cache,target=/root/.cache \
     --mount=type=cache,target=/go/pkg/mod <<EOT
   set -e
+
   cp -r .github/workflows/fixtures /root/.gnupg
+  chmod 0400 /root/.gnupg
   gpg-connect-agent "RELOADAGENT" /bye
   gpg --import --batch --yes /root/.gnupg/7D851EB72D73BDA0.key
   gpg --update-trustdb
@@ -84,7 +92,20 @@ RUN --mount=type=bind,target=. \
   gpg-connect-agent "KEYINFO 3E2D1142AA59E08E16B7E2C64BA6DDC773B1A627" /bye
   gpg-connect-agent "PRESET_PASSPHRASE BA83FC8947213477F28ADC019F6564A956456163 -1 77697468207374757069642070617373706872617365" /bye
   gpg-connect-agent "KEYINFO BA83FC8947213477F28ADC019F6564A956456163" /bye
+
+  # initialize password store for `pass`
   pass init 7D851EB72D73BDA0
+
+  # initialize password store for `gopass`
+  gopass config mounts.path /root/.gopass-password-store 1>/dev/null
+  gopass config core.autopush false 1>/dev/null
+  gopass config core.autosync false 1>/dev/null
+  gopass config core.exportkeys false 1>/dev/null
+  gopass config core.notifications false 1>/dev/null
+  gopass config core.color false 1>/dev/null
+  gopass config core.nopager true 1>/dev/null
+  gopass init --crypto gpgcli --storage fs 7D851EB72D73BDA0
+
   gpg -k
 
   mkdir /out
@@ -108,7 +129,8 @@ RUN --mount=type=bind,target=. \
     --mount=type=bind,source=/tmp/.revision,target=/tmp/.revision,from=version <<EOT
   set -ex
   xx-go --wrap
-  make build-pass build-secretservice PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
+  make build-gopass build-pass build-secretservice PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
+  xx-verify /out/docker-credential-gopass
   xx-verify /out/docker-credential-pass
   xx-verify /out/docker-credential-secretservice
 EOT
@@ -125,7 +147,8 @@ RUN --mount=type=bind,target=. \
   export MACOSX_VERSION_MIN=$(make print-MACOSX_DEPLOYMENT_TARGET)
   xx-go --wrap
   go install std
-  make build-osxkeychain build-pass PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
+  make build-gopass build-osxkeychain build-pass PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
+  xx-verify /out/docker-credential-gopass
   xx-verify /out/docker-credential-osxkeychain
   xx-verify /out/docker-credential-pass
 EOT
@@ -139,7 +162,9 @@ RUN --mount=type=bind,target=. \
     --mount=type=bind,source=/tmp/.revision,target=/tmp/.revision,from=version <<EOT
   set -ex
   xx-go --wrap
-  make build-wincred PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
+  make build-gopass build-wincred PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
+  mv /out/docker-credential-gopass /out/docker-credential-gopass.exe
+  xx-verify /out/docker-credential-gopass.exe
   mv /out/docker-credential-wincred /out/docker-credential-wincred.exe
   xx-verify /out/docker-credential-wincred.exe
 EOT

Makefile

@@ -23,11 +23,12 @@ clean:
 	rm -rf bin
 
 .PHONY: build-%
-build-%: # build, can be one of build-osxkeychain build-pass build-secretservice build-wincred
+build-%: # build, can be one of build-gopass build-osxkeychain build-pass build-secretservice build-wincred
 	go build -trimpath -ldflags="$(GO_LDFLAGS) -X ${GO_PKG}/credentials.Name=docker-credential-$*" -o "$(DESTDIR)/docker-credential-$*" ./$*/cmd/
 
 # aliases for build-* targets
-.PHONY: osxkeychain secretservice pass wincred
+.PHONY: gopass osxkeychain secretservice pass wincred
+gopass: build-gopass
 osxkeychain: build-osxkeychain
 secretservice: build-secretservice
 pass: build-pass

README.md

@@ -80,15 +80,26 @@ You can see examples of each function in the [client](https://godoc.org/github.c
 
 ### Available programs
 
-1. osxkeychain: Provides a helper to use the OS X keychain as credentials store.
-2. secretservice: Provides a helper to use the D-Bus secret service as credentials store.
-3. wincred: Provides a helper to use Windows credentials manager as store.
-4. pass: Provides a helper to use `pass` as credentials store.
+- gopass: Provides a helper to use `gopass` as credentials store.
+- osxkeychain: Provides a helper to use the OS X keychain as credentials store.
+- pass: Provides a helper to use `pass` as credentials store.
+- secretservice: Provides a helper to use the D-Bus secret service as credentials store.
+- wincred: Provides a helper to use Windows credentials manager as store.
 
-#### Note
+#### Note regarding `gopass`
 
-`pass` needs to be configured for `docker-credential-pass` to work properly.
-It must be initialized with a `gpg2` key ID. Make sure your GPG key exists is in `gpg2` keyring as `pass` uses `gpg2` instead of the regular `gpg`.
+`gopass` requires manual intervention in order for `docker-credential-gopass` to
+work properly: a password store must be initialized. Please ensure to review the
+upstream [quick start guide][gopass-quick-start] for more information.
+
+[gopass-quick-start]: https://github.com/gopasspw/gopass#quick-start-guide
+
+#### Note regarding `pass`
+
+`pass` requires manual interview in order for `docker-credential-pass` to
+work properly. It must be initialized with a `gpg2` key ID. Make sure your GPG
+key exists is in `gpg2` keyring as `pass` uses `gpg2` instead of the regular
+`gpg`.
 
 ## Development
 

gopass/cmd/main.go

@@ -0,0 +1,10 @@
+package main
+
+import (
+	"github.com/docker/docker-credential-helpers/credentials"
+	"github.com/docker/docker-credential-helpers/gopass"
+)
+
+func main() {
+	credentials.Serve(gopass.Gopass{})
+}