Merge pull request rancher-sandbox#8946 from mook-as/creds/no-require-pass

Nino-K · web-flow · commit ccaf89a40f1e · 2025-09-15T10:38:57.000-07:00
RPM spec: don't require pass
diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt
@@ -449,6 +449,7 @@ libgtk
 libnspr
 libnss
 libpango
+libsecret
 libva
 libx
 libxcb
diff --git a/bats/tests/helpers/commands.bash b/bats/tests/helpers/commands.bash
@@ -17,7 +17,11 @@ fi
 if is_macos; then
     CRED_HELPER="$PATH_RESOURCES/$PLATFORM/bin/docker-credential-osxkeychain"
 elif is_linux; then
-    CRED_HELPER="$PATH_RESOURCES/$PLATFORM/bin/docker-credential-pass"
+    if command -v pass; then
+        CRED_HELPER="$PATH_RESOURCES/$PLATFORM/bin/docker-credential-pass"
+    else
+        CRED_HELPER="$PATH_RESOURCES/$PLATFORM/bin/docker-credential-secretservice"
+    fi
 elif is_windows; then
     # Our docker-cli for WSL defaults to "wincred.exe" as well
     CRED_HELPER="$PATH_RESOURCES/win32/bin/docker-credential-wincred.exe"
diff --git a/packaging/linux/rancher-desktop.spec b/packaging/linux/rancher-desktop.spec
@@ -49,7 +49,6 @@ Requires: qemu-utils
 Requires: qemu-system-x86
 Requires: pass
 Requires: openssh-client
-Requires: gnupg
 Requires: gnutls-bin # To enumerate system certificates
 Requires: libasound2
 Requires: libatk1.0-0
@@ -83,9 +82,9 @@ Requires: qemu
 Requires: openssh-clients
 
 %if 0%{?fedora} || 0%{?rhel}
-Requires: pass
+Requires: (pass or libsecret)
 %else
-Requires: password-store
+Requires: (password-store or libsecret-1-0)
 Requires: qemu-img
 %endif
 
diff --git a/pkg/rancher-desktop/utils/__tests__/dockerDirManager.spec.ts b/pkg/rancher-desktop/utils/__tests__/dockerDirManager.spec.ts
@@ -435,17 +435,40 @@ describe('DockerDirManager', () => {
     });
 
     it('should return the right cred helper for the right platform', async() => {
+      jest.spyOn(subj as any, 'credHelperWorking').mockReturnValue(true);
       await expect(subj['getCredsStoreFor'](undefined)).resolves.toEqual(platformDefaultHelper);
     });
 
     it('should return the platform helper if the existing one does not work', async() => {
-      jest.spyOn(subj as any, 'credHelperWorking').mockResolvedValue(false);
+      jest.spyOn<any, any, (_: string) => Promise<boolean>>(subj, 'credHelperWorking').mockImplementation((helperName) => {
+        return Promise.resolve(os.platform() === 'linux' && helperName === 'pass');
+      });
       await expect(subj['getCredsStoreFor']('broken-helper')).resolves.toEqual(platformDefaultHelper);
     });
 
-    itLinux('should return secretservice when that is the current value', async() => {
-      jest.spyOn(subj as any, 'credHelperWorking').mockResolvedValue(false);
-      await expect(subj['getCredsStoreFor']('secretservice')).resolves.toEqual('secretservice');
+    itLinux('should default to pass when it works', async() => {
+      jest.spyOn<any, any, (_: string) => Promise<boolean>>(subj, 'credHelperWorking').mockImplementation((helperName) => {
+        expect(helperName).toEqual('pass');
+
+        return Promise.resolve(true);
+      });
+      await expect(subj['getCredsStoreFor'](undefined)).resolves.toEqual('pass');
+    });
+
+    itLinux('should default to pass when secretservice is broken', async() => {
+      jest.spyOn<any, any, (_: string) => Promise<boolean>>(subj, 'credHelperWorking').mockImplementation((helperName) => {
+        return Promise.resolve(helperName === 'pass');
+      });
+      await expect(subj['getCredsStoreFor']('secretservice')).resolves.toEqual('pass');
+    });
+
+    itLinux('should default to secretservice when pass does not work', async() => {
+      jest.spyOn<any, any, (_: string) => Promise<boolean>>(subj, 'credHelperWorking').mockImplementation((helperName) => {
+        expect(helperName).toEqual('pass');
+
+        return Promise.resolve(false);
+      });
+      await expect(subj['getCredsStoreFor'](undefined)).resolves.toEqual('secretservice');
     });
   });
 });
diff --git a/pkg/rancher-desktop/utils/dockerDirManager.ts b/pkg/rancher-desktop/utils/dockerDirManager.ts
@@ -283,11 +283,12 @@ export class DockerDirManager {
     } else if (platform === 'darwin') {
       return 'osxkeychain';
     } else if (platform === 'linux') {
-      if (currentCredsStore === 'secretservice') {
-        return 'secretservice';
-      } else {
+      // On Linux, we need to match the logic used by oras-go (used by helm):
+      // If `pass` works, use it; otherwise use secret service.
+      if (await this.credHelperWorking('pass')) {
         return 'pass';
       }
+      return 'secretservice';
     } else {
       throw new Error(`platform "${ platform }" is not supported`);
     }
