Merge pull request #408 from docker/dependabot/github_actions/actions/upload-artifact-7

build(deps): bump actions/upload-artifact from 6 to 7
Merge pull request #409 from docker/dependabot/github_actions/crazy-max/ghaction-import-gpg-7
2026-06-28 23:32:02 +05:30 · 2026-03-05 11:15:50 +01:00 · 2026-03-05 11:15:27 +01:00 · 2026-03-05 11:15:06 +01:00 · 2026-03-05 09:43:23 +00:00 · 2026-03-04 11:02:41 +01:00
109 changed files with 28308 additions and 1756 deletions
@@ -0,0 +1 @@
 /bin
@@ -0,0 +1,4 @@
 # Code of conduct
 - [Moby community guidelines](https://github.com/moby/moby/blob/master/CONTRIBUTING.md#moby-community-guidelines)
 - [Docker Code of Conduct](https://github.com/docker/code-of-conduct)
@@ -0,0 +1,289 @@
 # Contribute to this repository
 This page contains information about reporting issues as well as some tips and
 guidelines useful to experienced open source contributors.
 ## Reporting security issues
 The project maintainers take security seriously. If you discover a security
 issue, please bring it to their attention right away!
 **Please _DO NOT_ file a public issue**, instead send your report privately to
 [security@docker.com](mailto:security@docker.com).
 Security reports are greatly appreciated and we will publicly thank you for it.
 We also like to send gifts&mdash;if you're into schwag, make sure to let
 us know. We currently do not offer a paid security bounty program, but are not
 ruling it out in the future.
 ## Reporting other issues
 A great way to contribute to the project is to send a detailed report when you
 encounter an issue. We always appreciate a well-written, thorough bug report,
 and will thank you for it!
 Check that [the issue database](https://github.com/docker/docker-credential-helpers/issues)
 doesn't already include that problem or suggestion before submitting an issue.
 If you find a match, you can use the "subscribe" button to get notified on
 updates. Do *not* leave random "+1" or "I have this too" comments, as they
 only clutter the discussion, and don't help resolving it. However, if you
 have ways to reproduce the issue or have additional information that may help
 resolving the issue, please leave a comment.
 Include the steps required to reproduce the problem if possible and applicable.
 This information will help us review and fix your issue faster. When sending
 lengthy log-files, consider posting them as an attachment, instead of posting
 inline.
 **Do not forget to remove sensitive data from your logfiles before submitting**
 (you can replace those parts with "REDACTED").
 ### Pull requests are always welcome
 Not sure if that typo is worth a pull request? Found a bug and know how to fix
 it? Do it! We will appreciate it.
 If your pull request is not accepted on the first try, don't be discouraged! If
 there's a problem with the implementation, hopefully you received feedback on
 what to improve.
 We're trying very hard to keep this project lean and focused. We don't want it to
 do everything for everybody. This means that we might decide against
 incorporating a new feature. However, there might be a way to implement that
 feature *on top of* code in this project.
 ### Design and cleanup proposals
 You can propose new designs for existing features. You can also design
 entirely new features. We really appreciate contributors who want to refactor or
 otherwise cleanup our project.
 ### Sign your work
 The sign-off is a simple line at the end of the explanation for the patch. Your
 signature certifies that you wrote the patch or otherwise have the right to pass
 it on as an open-source patch. The rules are pretty simple: if you can certify
 the below (from [developercertificate.org](https://developercertificate.org)):
 ```
 Developer Certificate of Origin
 Version 1.1
 Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
 Everyone is permitted to copy and distribute verbatim copies of this
 license document, but changing it is not allowed.
 Developer's Certificate of Origin 1.1
 By making a contribution to this project, I certify that:
 (a) The contribution was created in whole or in part by me and I
    have the right to submit it under the open source license
    indicated in the file; or
 (b) The contribution is based upon previous work that, to the best
    of my knowledge, is covered under an appropriate open source
    license and I have the right under that license to submit that
    work with modifications, whether created in whole or in part
    by me, under the same open source license (unless I am
    permitted to submit under a different license), as indicated
    in the file; or
 (c) The contribution was provided directly to me by some other
    person who certified (a), (b) or (c) and I have not modified
    it.
 (d) I understand and agree that this project and the contribution
    are public and that a record of the contribution (including all
    personal information I submit with it, including my sign-off) is
    maintained indefinitely and may be redistributed consistent with
    this project or the open source license(s) involved.
 ```
 Then you just add a line to every git commit message:
    Signed-off-by: Joe Smith <joe.smith@email.com>
 **Use your real name** (sorry, no pseudonyms or anonymous contributions.)
 If you set your `user.name` and `user.email` git configs, you can sign your
 commit automatically with `git commit -s`.
 ### Run the unit- and integration-tests
 To validate PRs before submitting them you should run:
 ```bash
 $ make validate
 ```
 To run the tests:
 ```bash
 $ make test
 ```
 To generate new vendored files with go modules run:
 ```bash
 $ make vendor
 ```
 ### Conventions
 - Fork the repository and make changes on your fork in a feature branch
 - Submit tests for your changes. See [run the unit- and integration-tests](#run-the-unit--and-integration-tests)
  for details.
 - [Sign your work](#sign-your-work)
 Write clean code. Universally formatted code promotes ease of writing, reading,
 and maintenance. Always run `gofmt -s -w file.go` on each changed file before
 committing your changes. Most editors have plug-ins that do this automatically.
 Pull request descriptions should be as clear as possible and include a
 reference to all the issues that they address. Be sure that the [commit
 messages](#commit-messages) also contain the relevant information.
 ### Successful Changes
 Before contributing large or high impact changes, make the effort to coordinate
 with the maintainers of the project before submitting a pull request. This
 prevents you from doing extra work that may or may not be merged.
 Large PRs that are just submitted without any prior communication are unlikely
 to be successful.
 While pull requests are the methodology for submitting changes to code, changes
 are much more likely to be accepted if they are accompanied by additional
 engineering work. While we don't define this explicitly, most of these goals
 are accomplished through communication of the design goals and subsequent
 solutions. Often times, it helps to first state the problem before presenting
 solutions.
 Typically, the best methods of accomplishing this are to submit an issue,
 stating the problem. This issue can include a problem statement and a
 checklist with requirements. If solutions are proposed, alternatives should be
 listed and eliminated. Even if the criteria for elimination of a solution is
 frivolous, say so.
 Larger changes typically work best with design documents. These are focused on
 providing context to the design at the time the feature was conceived and can
 inform future documentation contributions.
 ### Commit Messages
 Commit messages must start with a capitalized and short summary (max. 50 chars)
 written in the imperative, followed by an optional, more detailed explanatory
 text which is separated from the summary by an empty line.
 Commit messages should follow best practices, including explaining the context
 of the problem and how it was solved, including in caveats or follow up changes
 required. They should tell the story of the change and provide readers
 understanding of what led to it.
 If you're lost about what this even means, please see [How to Write a Git
 Commit Message](http://chris.beams.io/posts/git-commit/) for a start.
 In practice, the best approach to maintaining a nice commit message is to
 leverage a `git add -p` and `git commit --amend` to formulate a solid
 changeset. This allows one to piece together a change, as information becomes
 available.
 If you squash a series of commits, don't just submit that. Re-write the commit
 message, as if the series of commits was a single stroke of brilliance.
 That said, there is no requirement to have a single commit for a PR, as long as
 each commit tells the story. For example, if there is a feature that requires a
 package, it might make sense to have the package in a separate commit then have
 a subsequent commit that uses it.
 Remember, you're telling part of the story with the commit message. Don't make
 your chapter weird.
 ### Review
 Code review comments may be added to your pull request. Discuss, then make the
 suggested modifications and push additional commits to your feature branch. Post
 a comment after pushing. New commits show up in the pull request automatically,
 but the reviewers are notified only when you comment.
 Pull requests must be cleanly rebased on top of master without multiple branches
 mixed into the PR.
 > **Git tip**: If your PR no longer merges cleanly, use `rebase master` in your
 > feature branch to update your pull request rather than `merge master`.
 Before you make a pull request, squash your commits into logical units of work
 using `git rebase -i` and `git push -f`. A logical unit of work is a consistent
 set of patches that should be reviewed together: for example, upgrading the
 version of a vendored dependency and taking advantage of its now available new
 feature constitute two separate units of work. Implementing a new function and
 calling it in another file constitute a single logical unit of work. The very
 high majority of submissions should have a single commit, so if in doubt: squash
 down to one.
 - After every commit, [make sure the test suite passes](#run-the-unit--and-integration-tests).
  Include documentation changes in the same pull request so that a revert would
  remove all traces of the feature or fix.
 - Include an issue reference like `closes #XXXX` or `fixes #XXXX` in the PR
  description that close an issue. Including references automatically closes
  the issue on a merge.
 - Do not add yourself to the `AUTHORS` file, as it is regenerated regularly
  from the Git history.
 - See the [Coding Style](#coding-style) for further guidelines.
 ### Merge approval
 Project maintainers use LGTM (Looks Good To Me) in comments on the code review to
 indicate acceptance, or use the Github review approval feature.
 ## Coding Style
 Unless explicitly stated, we follow all coding guidelines from the Go
 community. While some of these standards may seem arbitrary, they somehow seem
 to result in a solid, consistent codebase.
 It is possible that the code base does not currently comply with these
 guidelines. We are not looking for a massive PR that fixes this, since that
 goes against the spirit of the guidelines. All new contributions should make a
 best effort to clean up and make the code base better than they left it.
 Obviously, apply your best judgement. Remember, the goal here is to make the
 code base easier for humans to navigate and understand. Always keep that in
 mind when nudging others to comply.
 The rules:
 1. All code should be formatted with `gofmt -s`.
 2. All code should pass the default levels of
   [`golint`](https://github.com/golang/lint).
 3. All code should follow the guidelines covered in [Effective Go](http://golang.org/doc/effective_go.html)
   and [Go Code Review Comments](https://github.com/golang/go/wiki/CodeReviewComments).
 4. Comment the code. Tell us the why, the history and the context.
 5. Document _all_ declarations and methods, even private ones. Declare
   expectations, caveats and anything else that may be important. If a type
   gets exported, having the comments already there will ensure it's ready.
 6. Variable name length should be proportional to its context and no longer.
   `noCommaALongVariableNameLikeThisIsNotMoreClearWhenASimpleCommentWouldDo`.
   In practice, short methods will have short variable names and globals will
   have longer names.
 7. No underscores in package names. If you need a compound name, step back,
   and re-examine why you need a compound name. If you still think you need a
   compound name, lose the underscore.
 8. No utils or helpers packages. If a function is not general enough to
   warrant its own package, it has not been written generally enough to be a
   part of a util package. Just leave it unexported and well-documented.
 9. All tests should run with `go test` and outside tooling should not be
   required. No, we don't need another unit testing framework. Assertion
   packages are acceptable if they provide _real_ incremental value.
 10. Even though we call these "rules" above, they are actually just
    guidelines. Since you've read all the rules, you now know that.
 If you are having trouble getting into the mood of idiomatic Go, we recommend
 reading through [Effective Go](https://golang.org/doc/effective_go.html). The
 [Go Blog](https://blog.golang.org) is also a great resource.
@@ -0,0 +1,30 @@
 <!--
 Please make sure you've read and understood our contributing guidelines;
 https://github.com/docker/cli/blob/master/CONTRIBUTING.md
 ** Make sure all your commits include a signature generated with `git commit -s` **
 For additional information on our contributing process, read our contributing
 guide https://docs.docker.com/opensource/code/
 If this is a bug fix, make sure your description includes "fixes #xxxx", or
 "closes #xxxx"
 Please provide the following information:
 -->
 **- What I did**
 **- How I did it**
 **- How to verify it**
 **- Description for the changelog**
 <!--
 Write a short (one line) summary that describes the changes in this
 pull request for inclusion in the changelog:
 -->
 **- A picture of a cute animal (not mandatory but encouraged)**
@@ -0,0 +1,12 @@
 # Reporting security issues
 The project maintainers take security seriously. If you discover a security
 issue, please bring it to their attention right away!
 **Please _DO NOT_ file a public issue**, instead send your report privately to
 [security@docker.com](mailto:security@docker.com).
 Security reports are greatly appreciated, and we will publicly thank you for it.
 We also like to send gifts&mdash;if you're into schwag, make sure to let
 us know. We currently do not offer a paid security bounty program, but are not
 ruling it out in the future.
@@ -0,0 +1,10 @@
 version: 2
 updates:
  - package-ecosystem: "github-actions"
    open-pull-requests-limit: 10
    directory: "/"
    schedule:
      interval: "daily"
    labels:
      - "dependencies"
      - "bot"
@@ -0,0 +1,211 @@
 name: build
 # Default to 'contents: read', which grants actions to read commits.
 #
 # If any permission is set, any permission not included in the list is
 # implicitly set to "none".
 #
 # see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
 permissions:
  contents: read
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 on:
  workflow_dispatch:
  push:
    branches:
      - 'main'
    tags:
      - 'v*'
  pull_request:
 env:
  DESTDIR: ./bin
  GO_VERSION: 1.25.7
 jobs:
  validate:
    runs-on: ubuntu-24.04
    timeout-minutes: 30 # guardrails timeout for the whole job
    strategy:
      fail-fast: false
      matrix:
        target:
          - lint
          - validate-vendor
    steps:
      -
        name: Checkout
        uses: actions/checkout@v6
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v4
      -
        name: Run
        run: |
          make ${{ matrix.target }}
  test:
    runs-on: ${{ matrix.os }}
    timeout-minutes: 30 # guardrails timeout for the whole job
    strategy:
      fail-fast: false
      matrix:
        os:
          - ubuntu-24.04
          - ubuntu-22.04
          - macOS-15-intel
          - macOS-15
          - macOS-14
          - windows-2022
    steps:
      -
        name: Checkout
        uses: actions/checkout@v6
      -
        name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version: ${{ env.GO_VERSION }}
      -
        name: Install deps (ubuntu)
        if: startsWith(matrix.os, 'ubuntu-')
        run: |
          sudo apt-get update
          sudo apt-get install -y dbus-x11 gnome-keyring libsecret-1-dev pass
      -
        name: Install deps (macOS)
        if: startsWith(matrix.os, 'macOS-')
        run: |
          brew install pass
      -
        name: GPG conf
        if: ${{ !startsWith(matrix.os, 'windows-') }}
        uses: actions/github-script@v8
        id: gpg
        with:
          script: |
            const fs = require('fs');
            const gnupgfolder = `${require('os').homedir()}/.gnupg`;
            if (!fs.existsSync(gnupgfolder)){
              fs.mkdirSync(gnupgfolder);
            }
            fs.copyFile('.github/workflows/fixtures/gpg.conf', `${gnupgfolder}/gpg.conf`, (err) => {
              if (err) throw err;
            });
            core.setOutput('key', fs.readFileSync('.github/workflows/fixtures/7D851EB72D73BDA0.key', {encoding: 'utf8'}));
            core.setOutput('passphrase', fs.readFileSync('.github/workflows/fixtures/7D851EB72D73BDA0.pass', {encoding: 'utf8'}));
      -
        name: Import GPG key
        if: ${{ !startsWith(matrix.os, 'windows-') }}
        uses: crazy-max/ghaction-import-gpg@v7
        with:
          gpg_private_key: ${{ steps.gpg.outputs.key }}
          passphrase: ${{ steps.gpg.outputs.passphrase }}
          trust_level: 5
      -
        name: Init pass
        if: ${{ !startsWith(matrix.os, 'windows-') }}
        run: |
          pass init 7D851EB72D73BDA0
        shell: bash
      -
        name: Test
        run: |
          make test COVERAGEDIR=${{ env.DESTDIR }}
        shell: bash
      -
        name: Upload coverage
        uses: codecov/codecov-action@v5
        with:
          files: ${{ env.DESTDIR }}/coverage.txt
          token: ${{ secrets.CODECOV_TOKEN }}
  test-sandboxed:
    runs-on: ubuntu-24.04
    timeout-minutes: 30 # guardrails timeout for the whole job
    steps:
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v4
      -
        name: Test
        uses: docker/bake-action@v6
        with:
          targets: test
          set: |
            *.cache-from=type=gha,scope=test
            *.cache-to=type=gha,scope=test,mode=max
      -
        name: Upload coverage
        uses: codecov/codecov-action@v5
        with:
          files: ${{ env.DESTDIR }}//coverage.txt
          token: ${{ secrets.CODECOV_TOKEN }}
  build:
    runs-on: ubuntu-24.04
    timeout-minutes: 30 # guardrails timeout for the whole job
    permissions:
      # required to create GitHub release
      contents: write
    steps:
      -
        name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v4
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v4
      -
        name: Build
        run: |
          make release
        env:
          CACHE_FROM: type=gha,scope=build
          CACHE_TO: type=gha,scope=build,mode=max
      -
        name: List artifacts
        run: |
          tree -nh ${{ env.DESTDIR }}
      -
        name: Check artifacts
        run: |
          find ${{ env.DESTDIR }} -type f -exec file -e ascii -e text -- {} +
      -
        name: Upload artifacts
        uses: actions/upload-artifact@v7
        with:
          name: docker-credential-helpers
          path: ${{ env.DESTDIR }}/*
          if-no-files-found: error
      -
        name: GitHub Release
        if: startsWith(github.ref, 'refs/tags/v')
        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b  # v2.5.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          draft: true
          files: ${{ env.DESTDIR }}/*
  build-deb:
    runs-on: ubuntu-24.04
    timeout-minutes: 30 # guardrails timeout for the whole job
    steps:
      -
        name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0
      -
        name: Build
        run: |
          make deb
@@ -0,0 +1,106 @@
 -----BEGIN PGP PRIVATE KEY BLOCK-----
 lQdGBF6tzaABEACjFbX7PFEG6vDPN2MPyxYW7/3o/sonORj4HXUFjFxxJxktJ3x3
 N1ayHPJ1lqIeoiY7jVbq0ZdEVGkd3YsKG9ZMdZkzGzY6PQPC/+M8OnzOiOPwUdWc
 +Tdhh115LvVz0MMKYiab6Sn9cgxj9On3LCQKpjvMDpPo9Ttf6v2GQIw8h2ACvdzQ
 71LtIELS/I+dLbfZiwpUu2fhQT13EJkEnYMOYwM5jNUd66P9itUc7MrOWjkicrKP
 oF1dQaCM+tuKuxvD8WLdiwU5x60NoGkJHHUehKQXl2dVzjpqEqHKEBJt9tfJ9lpE
 YIisgwB8o3pes0fgCehjW2zI95/o9+ayJ6nl4g5+mSvWRXEu66h71nwM0Yuvquk8
 3me7qhYfDrDdCwcxS5BS1hwakTgUQLD99FZjbx1j8sq96I65O0GRdyU2PR8KIjwu
 JrkTH4ZlKxK3FQghUhFoA5GkiDb+eClmRMSni5qg+81T4XChmUkEprA3eWCHL+Ma
 xRNNxLS+r6hH9HG5JBxpV3iaTI9HHpnQKhEeaLXqsUTDZliN9hP7Ywo8bpUB8j2d
 oWYwDV4dPyMKr6Fb8RDCh2q5gJGbVp8w/NmmBTeL+IP2fFggJkRfyumv3Ul7x66L
 tBFQ4rYo4JUUrGweSTneG6REIgxH66hIrNl6Vo/D1ZyknTe1dMOu/BTkkQARAQAB
 /gcDAqra8KO+h3bfyu90vxTL1ro4x/x9il7VBcWlIR4cBP7Imgxv+T4hwPIu8P1x
 lOlxLNWegFOV0idoTy1o3VLLBev/F+IlspX4A+2XEIddR6nZnKFi0Lv2L4TKgE9E
 VJJTszmviDIRLMLN9dWzDfA8hj5tR5Inot92CHRF414AS22JHvlhbFSLQnjqsN+C
 n1cQpNOJhkxsSfZsxjnFa/70y/u8v0o8mzyLZmk9HpzRHGzoz8IfpLp8OTqBR9u6
 zzoKLy16zZO55OKbj7h8uVZvDUq9l8iDICpqWMdZqBJIl56MBexYKgYxh3YO/8v2
 oXli+8Xuaq5QLiCN3yT7IbKoYzplnFfaJwFiMh7R1iPLXaYAZ0qdRijlbtseTK1m
 oHNkwUbxVzjkh4LfE8UpmMwZn5ZjWni3230SoiXuKy0OHkGvwGvWWAL1mEuoYuUI
 mFMcH5MnixP8oQYZKDj2IR/yEeOpdU6B/tr3Tk1NidLf7pUMqG7Ff1NU6dAUeBpa
 9xahITMjHvrhgMISY4IYZep5cEnVw8lQTpUJtW/ePMzrFhu3sA7oNdj9joW/VMfz
 H7MHwwavtICsYqoqV3lnjX4EC9dW6o8PTUg2u956dmtK7KAyUK/+w2aLNGT28ChN
 jhRYHvHzB9Kw5asqI/lTM49eqslBqYQMTTjdBphkYuSZQzNMf291j/ZmoLhD1A1a
 S8tUnNygKV4D1cJYgSXfzhFoU8ib/0SPo+KqQ+CzGS+wxXg6WNBA6wepTjpnVVx3
 4JADP8IJcDC3P0iwAreWjSy15F1cvemFFB0SLNUkyZGzsxtKzbM1+8khl68+eazC
 LzRj0rxfIF5znWjX1QFhKxCk6eF0IWDY0+b3DBkmChME9YDXJ3TthcqA7JgcX4JI
 M4/wdqhgerJYOmj+i2Q0M+Bu02icOJYMwTMMsDVl7XGHkaCuRgZ54eZAUH7JFwUm
 1Ct3tcaqiTMmz0ngHVqBTauzgqKDvzwdVqdfg05H364nJMay/3omR6GayIb5CwSo
 xdNVwG3myPPradT9MP09mDr4ys2zcnQmCkvTVBF6cMZ1Eh6PQQ8CyQWv0zkaBnqj
 JrM1hRpgW4ZlRosSIjCaaJjolN5QDcXBM9TbW9ww+ZYstazN2bV1ZQ7BEjlHQPa1
 BhzMsvqkbETHsIpDNF52gZKn3Q9eIX05BeadzpHUb5/XOheIHVIdhSaTlgl/qQW5
 hQgPGSzSV6KhXEY7aevTdvOgq++WiELkjfz2f2lQFesTjFoQWEvxVDUmLxHtEhaN
 DOuh4H3mX5Opn3pLQmqWVhJTbFdx+g5qQd0NCW4mDaTFWTRLFLZQsSJxDSeg9xrY
 gmaii8NhMZRwquADW+6iU6KfraBhngi7HRz4TfqPr9ma/KUY464cqim1fnwXejyx
 jsb5YHR9R66i+F6P/ysF5w+QuVdDt1fnf9GLay0r6qxpA8ft2vGPcDs4806Huj+7
 Aq5VeJaNkCuh3GR3xVnCFAz/7AtkO6xKuZm8B3q904UuMdSmkhWbaobIuF/B2B6S
 eawIXQHEOplK3ic26d8Ckf4gbjeORfELcMAEi5nGXpTThCdmxQApCLxAYYnTfQT1
 xhlDwT9xPEabo98mIwJJsAU5VsTDYW+qfo4qIx8gYoSKc9Xu3yVh3n+9k43Gcm5V
 9lvK1slijf+TzODZt/jsmkF8mPjXyP5KOI+xQp/m4PxW3pp57YrYj/Rnwga+8DKX
 jMsW7mLAAZ/e+PY6z/s3x1Krfk+Bb5Ph4mI0zjw5weQdtyEToRgveda0GEpvZSBU
 ZXN0ZXIgPGpvZUBmb28uYmFyPokCNgQQAQgAIAUCXq3NoAYLCQcIAwIEFQgKAgQW
 AgEAAhkBAhsDAh4BAAoJEH2FHrctc72gxtQP/AulaClIcn/kDt43mhYnyLglPfbo
 AqPlU26chXolBg0Wo0frFY3aIs5SrcWEf8aR4XLwCFGyi3vya0CUxjghN5tZBYqo
 vswbT00zP3ohxxlJFCRRR9bc7OZXCgTddtfVf6EKrUAzIkbWyAhaJnwJy/1UGpSw
 SEO/KpastrVKf3sv1wqOeFQ4DFyjaNda+xv3dVWS8db7KogqJiPFZXrQK3FKVIxS
 fxRSmKaYN7//d+xwVAEY++RrnL/o8B2kV6N68cCpQWJELyYnJzis9LBcWd/3wiYh
 efTyY+ePKUjcB+kEZnyJfLc7C2hll2e7UJ0fxv+k8vHReRhrNWmGRXsjNRxiw3U0
 hfvxD/C8nyqAbeTHp4XDX78Tc3XCysAqIYboIL+RyewDMjjLj5vzUYAdUdtyNaD7
 C6M2R6pN1GAt52CJmC/Z6F7W7GFGoYOdEkVdMQDsjCwScyEUNlGj9Zagw5M2EgSe
 6gaHgMgTzsMzCc4W6WV5RcS55cfDNOXtxPsMJTt4FmXrjl11prBzpMfpU5a9zxDZ
 oi54ZZ8VPE6jsT4Lzw3sni3c83wm28ArM20AzZ1vh7fk3Sfd0u4Yaz7s9JlEm5+D
 34tEyli28+QjCQc18EfQUiJqiYEJRxJXJ3esvMHfYi45pV/Eh5DgRW1305fUJV/6
 +rGpg0NejsHoZdZPnQdGBF6tzaABEAC4mVXTkVk6Kdfa4r5zlzsoIrR27laUlMkb
 OBMt+aokqS+BEbmTnMg6xIAmcUT5uvGAc8S/WhrPoYfc15fTUyHIz8ZbDoAg0LO6
 0Io4VkAvNJNEnsSV9VdLBh/XYlc4K49JqKyWTL4/FJFAGbsmHY3b+QU90AS6FYRv
 KeBAoiyebrjx0vmzb8E8h3xthVLN+AfMlR1ickY62zvnpkbncSMY/skur1D2KfbF
 3sFprty2pEtjFcyB5+18l2IyyHGOlEUw1PZdOAV4/Myh1EZRgYBPs80lYTJALCVF
 IdOakH33WJCImtNZB0AbDTABG+JtMjQGscOa0qzf1Y/7tlhgCrynBBdaIJTx95TD
 21BUHcHOu5yTIS6Ulysxfkv611+BiOKHgdq7DVGP78VuzA7bCjlP1+vHqIt3cnIa
 t2tEyuZ/XF4uc3/i4g0uP9r7AmtET7Z6SKECWjpVv+UEgLx5Cv+ql+LSKYQMvU9a
 i3B1F9fatn3FSLVYrL4aRxu4TSw9POb0/lgDNmN3lGQOsjGCZPibkHjgPEVxKuiq
 9Oi38/VTQ0ZKAmHwBTq1WTZIrPrCW0/YMQ6yIJZulwQ9Yx1cgzYzEfg04fPXlXMi
 vkvNpKbYIICzqj0/DVztz9wgpW6mnd0A2VX2dqbMM0fJUCHA6pj8AvXY4R+9Q4rj
 eWRK9ycInQARAQAB/gcDApjt7biRO0PEyrrAiUwDMsJL4/CVMu11qUWEPjKe2Grh
 ZTW3N+m3neKPRULu+LUtndUcEdVWUCoDzAJ7MwihZtV5vKST/5Scd2inonOaJqoA
 nS3wnEMN/Sc93HAZiZnFx3NKjQVNCwbuEs45mXkkcjLm2iadrTL8fL4acsu5IsvD
 LbDwVOPeNnHKl6Hr20e39fK0FuJEyH49JM6U3B1/8385sJB8+E24+hvSF81aMddh
 Ne4Bc3ZYiYaKxe1quPNKC0CQhAZiT7LsMfkInXr0hY1I+kISNXEJ1dPYOEWiv0Ze
 jD5Pupn34okKNEeBCx+dK8BmUCi6Jgs7McUA7hN0D/YUS++5fuR55UQq2j8Ui0tS
 P8GDr86upH3PgEL0STh9fYfJ7TesxurwonWjlmmT62Myl4Pr+RmpS6PXOnhtcADm
 eGLpzhTveFj4JBLMpyYHgBTqcs12zfprATOpsI/89kmQoGCZpG6+AbfSHqNNPdy2
 eqUCBhOZlIIda1z/cexmU3f/gBqyflFf8fkvmlO4AvI8aMH3OpgHdWnzh+AB51xj
 kmdD/oWel9v7Dz4HoZUfwFaLZ0fE3P9voD8e+sCwqQwVqRY4L/BOYPD5noVOKgOj
 ABNKu5uKrobj6rFUi6DTUCjFGcmoF1Sc06xFNaagUNggRbmlC/dz22RWdDUYv5ra
 N6TxIDkGC0cK6ujyK0nes3DN0aHjgwWuMXDYkN3UckiebI4Cv/eF9jvUKOSiIcy1
 RtxdazZS4dYg2LBMeJKVkPi5elsNyw2812nEY3du/nEkQYXfYgWOF27OR+g4Y9Yw
 1BiqJ1TTjbQnd/khOCrrbzDH1mw00+1XVsT6wjObuYqqxPPS87UrqmMf6OdoYfPm
 zEOnNLBnsJ5VQM3A3pcT40RfdBrZRO8LjGhzKTreyq3C+jz0RLa5HNE8GgOhGyck
 ME4h+RhXlE8KGM+tTo6PA1NJSrEt+8kZzxjP4rIEn0aVthCkNXK12inuXtnHm0ao
 iLUlQOsfPFEnzl0TUPd7+z7j/wB+XiKU/AyEUuB0mvdxdKtqXvajahOyhLjzHQhz
 ZnNlgANGtiqcSoJmkJ8yAvhrtQX51fQLftxbArRW1RYk/5l+Gy3azR+gUC17M6JN
 jrUYxn0zlAxDGFH7gACHUONwVekcuEffHzgu2lk7MyO1Y+lPnwabqjG0eWWHuU00
 hskJlXyhj7DeR12bwjYkyyjG62GvOH02g3OMvUgNGH+K321Dz539csCh/xwtg7Wt
 U3YAphU7htQ1dPDfk1IRs7DQo2L+ZTE57vmL5m0l6fTataEWBPUXkygfQFUJOM6Q
 yY76UEZww1OSDujNeY171NSTzXCVkUeAdAMXgjaHXWLK2QUQUoXbYX/Kr7Vvt9Fu
 Jh6eGjjp7dSjQ9+DW8CAB8vxd93gsQQGWYjmGu8khkEmx6OdZhmSbDbe915LQTb9
 sPhk2s5/Szsvr5W2JJ2321JI6KXBJMZvPC5jEBWmRzOYkRd2vloft+CSMfXF+Zfd
 nYtc6R3dvb9vcjo+a9wFtfcoDsO0MaPSM+9GB25MamdatmGX6iLOy9Re1UABwUi/
 VhTWNkP5uzqx0sDwHEIa2rYOwxpIZDwwjM3oOASCW1DDBQ0BI9KNjfIeL3ubx2mS
 2x8hFU9qSK4umoDNbzOqGPSlkdbiPcNjF2ZcSN1qQZiYdwLL5dw6APNyBVjxTN1J
 gkCdJ/HwAY+r93Lbl5g8gz8d0vJEyfn//34sn9u+toSTw55GcG9Ks1kSKIeDNh0h
 MiPm3HmJAh8EGAEIAAkFAl6tzaACGwwACgkQfYUety1zvaBV9hAAgliX36pXJ59g
 3I9/4R68e/fGg0FMM6D+01yCeiKApOYRrJ0cYKn7ITDYmHhlGGpBAie90UsqX12h
 hdLP7LoQx7sjTyzQt6JmpA8krIwi2ON7FKBkdYb8IYx4mE/5vKnYT4/SFnwTmnZY
 +m+NzK2U/qmhq8JyO8gozdAKJUcgz49IVv2Ij0tQ4qaPbyPwQxIDyKnT758nJhB1
 jTqo+oWtER8q3okzIlqcArqn5rDaNJx+DRYL4E/IddyHQAiUWUka8usIUqeW5reu
 zoPUE2CCfOJSGArkqHQQqMx0WEzjQTwAPaHrQbera4SbiV/o4CLCV/u5p1Qnig+Q
 iUsakmlD299t//125LIQEa5qzd9hRC7u1uJS7VdW8eGIEcZ0/XT/sr+z23z0kpZH
 D3dXPX0BwM4IP9xu31CNg10x0rKwjbxy8VaskFEelpqpu+gpAnxqMd1evpeUHcOd
 r5RgPgkNFfba9Nbxf7uEX+HOmsOM+kdtSmdGIvsBZjVnW31nnoDMp49jG4OynjrH
 cRuoM9sxdr6UDqb22CZ3/e0YN4UaZM3YDWMVaP/QBVgvIFcdByqNWezpd9T4ZUII
 MZlaV1uRnHg6B/zTzhIdMM80AXz6Uv6kw4S+Lt7HlbrnMT7uKLuvzH7cle0hcIUa
 PejgXO0uIRolYQ3sz2tMGhx1MfBqH64=
 =WbwB
 -----END PGP PRIVATE KEY BLOCK-----
@@ -0,0 +1 @@
 with stupid passphrase
@@ -1,9 +1,6 @@
 #!/usr/bin/env sh
 set -ex
 sh -e /etc/init.d/xvfb start
 sleep 3 # give xvfb some time to start
 # init key for pass
 gpg --batch --gen-key <<-EOF
 %echo Generating a standard key
 Key-Type: DSA
@@ -17,6 +14,3 @@ Expire-Date: 0
 %commit
 %echo done
 EOF
 key=$(gpg --no-auto-check-trustdb --list-secret-keys | grep ^sec | cut -d/ -f2 | cut -d" " -f1)
 pass init $key
@@ -0,0 +1,3 @@
 default-cache-ttl 21600
 max-cache-ttl 31536000
 allow-preset-passphrase
@@ -0,0 +1,71 @@
 ################################################################################
 # GnuPG Options
 # (OpenPGP-Configuration-Options)
 # Assume that command line arguments are given as UTF8 strings.
 utf8-strings
 # (OpenPGP-Protocol-Options)
 # Set the list of personal digest/cipher/compression preferences. This allows
 # the user to safely override the algorithm chosen by the recipient key
 # preferences, as GPG will only select an algorithm that is usable by all
 # recipients.
 personal-digest-preferences SHA512 SHA384 SHA256 SHA224
 personal-cipher-preferences AES256 AES192 AES CAST5 CAMELLIA192 BLOWFISH TWOFISH CAMELLIA128 3DES
 personal-compress-preferences ZLIB BZIP2 ZIP
 # Set the list of default preferences to string. This preference list is used
 # for new keys and becomes the default for "setpref" in the edit menu.
 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
 # (OpenPGP-Esoteric-Options)
 # Use name as the message digest algorithm used when signing a key. Running the
 # program with the command --version yields a list of supported algorithms. Be
 # aware that if you choose an algorithm that GnuPG supports but other OpenPGP
 # implementations do not, then some users will not be able to use the key
 # signatures you make, or quite possibly your entire key.
 #
 # SHA-1 is the only algorithm specified for OpenPGP V4. By changing the
 # cert-digest-algo, the OpenPGP V4 specification is not met but with even
 # GnuPG 1.4.10 (release 2009) supporting SHA-2 algorithm, this should be safe.
 # Source: https://tools.ietf.org/html/rfc4880#section-12.2
 cert-digest-algo SHA512
 digest-algo SHA256
 # Selects how passphrases for symmetric encryption are mangled. 3 (the default)
 # iterates the whole process a number of times (see --s2k-count).
 s2k-mode 3
 # (OpenPGP-Protocol-Options)
 # Use name as the cipher algorithm for symmetric encryption with a passphrase
 # if --personal-cipher-preferences and --cipher-algo are not given. The
 # default is AES-128.
 s2k-cipher-algo AES256
 # (OpenPGP-Protocol-Options)
 # Use name as the digest algorithm used to mangle the passphrases for symmetric
 # encryption. The default is SHA-1.
 s2k-digest-algo SHA512
 # (OpenPGP-Protocol-Options)
 # Specify how many times the passphrases mangling for symmetric encryption is
 # repeated. This value may range between 1024 and 65011712 inclusive. The
 # default is inquired from gpg-agent. Note that not all values in the
 # 1024-65011712 range are legal and if an illegal value is selected, GnuPG will
 # round up to the nearest legal value. This option is only meaningful if
 # --s2k-mode is set to the default of 3.
 s2k-count 1015808
 ################################################################################
 # GnuPG View Options
 # Select how to display key IDs. "long" is the more accurate (but less
 # convenient) 16-character key ID. Add an "0x" to include an "0x" at the
 # beginning of the key ID.
 keyid-format 0xlong
 # List all keys with their fingerprints. This is the same output as --list-keys
 # but with the additional output of a line with the fingerprint. If this
 # command is given twice, the fingerprints of all secondary keys are listed too.
 with-fingerprint
 with-fingerprint
@@ -1,2 +1 @@
-bin
+/bin
 release
@@ -0,0 +1,23 @@
 version: "2"
 run:
  modules-download-mode: vendor
 linters:
  default: none
  enable:
    - govet
    - ineffassign
    - misspell
    - revive
    - staticcheck
    - unused
  settings:
    revive:
      rules:
        - name: package-comments  # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#package-comments
          disabled: true
 formatters:
  enable:
    - gofmt
    - goimports
@@ -1,50 +0,0 @@
 ---
  # See appveyor.yml for windows build.
  sudo: required
  language: go
  dist: trusty
  osx_image: xcode10.1
  os:
    - linux
    - osx
  notifications:
    email: false
  go:
    - 1.12.x
  addons:
    apt:
      packages:
        - libsecret-1-dev
        - pass
  before_script:
    - make deps
    - "export DISPLAY=:99.0"
    - if [[ "$TRAVIS_OS_NAME" == "linux"  ]]; then sh ci/before_script_linux.sh; fi
    - make validate
  script: make test
  before_deploy:
    - sh ci/before_deploy.sh
  deploy:
    provider: releases
    api_key:
      secure: "$GITHUB_TOKEN"
    # upload file artifacts using a glob expression.
    # It requires both options `file_glob` and `file`:
    # https://github.com/travis-ci/dpl/blob/master/lib/dpl/provider/releases.rb#L47-L53
    file_glob: true
    file: docker-credential-*-${TRAVIS_TAG}-amd64.tar.gz
    # don't delete the artifacts from previous phases
    skip_cleanup: true
    # deploy when a new tag is pushed
    on:
      tags: true
  branches:
    only:
      # Pushes and PR to the master branch
      - master
      # IMPORTANT Ruby regex to match tags. Required, or travis won't trigger deploys when a new tag
      # is pushed. This regex matches semantic versions like v1.2.3-rc4+2016.02.22
      - /^v\d+\.\d+\.\d+.*$/
@@ -1,61 +0,0 @@
 # Changelog
 This changelog tracks the releases of docker-credential-helpers.
 This project includes different binaries per platform.
 The platform released is identified after the tag name.
 ## v0.6.0 (Go client, Linux)
 - New credential helper on Linux using `pass`
 - New entry point for passing environment variables when calling a credential helper
 - Add a Makefile rule generating a Windows release binary
 ### Note
 `pass` needs to be configured for `docker-credential-pass` to work properly.
 It must be initialized with a `gpg2` key ID. Make sure your GPG key exists is in `gpg2` keyring as `pass` uses `gpg2` instead of the regular `gpg`.
 ## v0.5.2 (Mac OS X, Windows, Linux)
 - Add a `version` command to output the version
 - Fix storing URLs without scheme, and use `https://` by default
 ## v0.5.1 (Go client, Mac OS X, Windows, Linux)
 - Redirect credential helpers' standard error to the caller's
 - Prevent invalid credentials and credentials queries
 ## v0.5.0 (Mac OS X)
 - Add a label for Docker credentials and filter credentials lookup to filter keychain lookups
 ## v0.4.2 (Mac OS X, Windows)
 - Fix osxkeychain list
 - macOS binary is now signed on release
 - Generate a `.exe` instead
 ## v0.4.1 (Mac OS X)
 - Fixes to support older version of OSX (10.10, 10.11)
 ## v0.4.0 (Go client, Mac OS X, Windows, Linux)
 - Full implementation for OSX ready
 - Fix some windows issues
 - Implement client.List, change list API
 - mac: delete credentials before adding them to avoid already exist error (fixes #37)
 ## v0.3.0 (Go client)
 - Add Go client library to talk with the native programs.
 ## v0.2.0 (Mac OS X, Windows, Linux)
 - Initial release of docker-credential-secretservice for Linux.
 - Use new secrets payload introduced in https://github.com/docker/docker/pull/20970.
 ## v0.1.0 (Mac OS X, Windows)
 - Initial release of docker-credential-osxkeychain for Mac OS X.
 - Initial release of docker-credential-wincred for Microsoft Windows.
@@ -0,0 +1,150 @@
 # syntax=docker/dockerfile:1
 ARG GO_VERSION=1.25.7
 ARG DEBIAN_VERSION=bookworm
 ARG XX_VERSION=1.7.0
 ARG OSXCROSS_VERSION=11.3-r8-debian
 ARG GOLANGCI_LINT_VERSION=v2.8
 ARG PACKAGE=github.com/docker/docker-credential-helpers
 # xx is a helper for cross-compilation
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 # osxcross contains the MacOSX cross toolchain for xx
 FROM crazymax/osxcross:${OSXCROSS_VERSION} AS osxcross
 FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-${DEBIAN_VERSION} AS gobase
 COPY --from=xx / /
 RUN apt-get update && apt-get install -y --no-install-recommends clang dpkg-dev file git lld llvm make pkg-config rsync
 ENV GOFLAGS="-mod=vendor"
 ENV CGO_ENABLED="1"
 WORKDIR /src
 FROM gobase AS vendored
 RUN --mount=target=/context \
    --mount=target=.,type=tmpfs  \
    --mount=target=/go/pkg/mod,type=cache <<EOT
  set -e
  rsync -a /context/. .
  go mod tidy
  go mod vendor
  mkdir /out
  cp -r go.mod go.sum vendor /out
 EOT
 FROM scratch AS vendor-update
 COPY --from=vendored /out /
 FROM vendored AS vendor-validate
 RUN --mount=target=/context \
    --mount=target=.,type=tmpfs <<EOT
  set -e
  rsync -a /context/. .
  git add -A
  rm -rf vendor
  cp -rf /out/* .
  if [ -n "$(git status --porcelain -- go.mod go.sum vendor)" ]; then
    echo >&2 'ERROR: Vendor result differs. Please vendor your package with "make vendor"'
    git status --porcelain -- go.mod go.sum vendor
    exit 1
  fi
 EOT
 FROM golangci/golangci-lint:${GOLANGCI_LINT_VERSION} AS golangci-lint
 FROM gobase AS lint
 RUN apt-get install -y binutils gcc libc6-dev libgcc-11-dev libsecret-1-dev pkg-config
 RUN --mount=type=bind,target=. \
    --mount=type=cache,target=/root/.cache \
    --mount=from=golangci-lint,source=/usr/bin/golangci-lint,target=/usr/bin/golangci-lint \
    golangci-lint run ./...
 FROM gobase AS base
 ARG TARGETPLATFORM
 RUN xx-apt-get install -y binutils gcc libc6-dev libgcc-11-dev libsecret-1-dev pkg-config
 FROM base AS test
 RUN xx-apt-get install -y dbus-x11 gnome-keyring gpg-agent gpgconf libsecret-1-dev pass
 RUN --mount=type=bind,target=. \
    --mount=type=cache,target=/root/.cache \
    --mount=type=cache,target=/go/pkg/mod <<EOT
  set -e
  cp -r .github/workflows/fixtures /root/.gnupg
  gpg-connect-agent "RELOADAGENT" /bye
  gpg --import --batch --yes /root/.gnupg/7D851EB72D73BDA0.key
  gpg --update-trustdb
  echo '5\ny\n' | gpg --command-fd 0 --no-tty --edit-key 7D851EB72D73BDA0 trust
  gpg-connect-agent "PRESET_PASSPHRASE 3E2D1142AA59E08E16B7E2C64BA6DDC773B1A627 -1 77697468207374757069642070617373706872617365" /bye
  gpg-connect-agent "KEYINFO 3E2D1142AA59E08E16B7E2C64BA6DDC773B1A627" /bye
  gpg-connect-agent "PRESET_PASSPHRASE BA83FC8947213477F28ADC019F6564A956456163 -1 77697468207374757069642070617373706872617365" /bye
  gpg-connect-agent "KEYINFO BA83FC8947213477F28ADC019F6564A956456163" /bye
  pass init 7D851EB72D73BDA0
  gpg -k
  mkdir /out
  xx-go --wrap
  make test COVERAGEDIR=/out
 EOT
 FROM scratch AS test-coverage
 COPY --from=test /out /
 FROM gobase AS version
 RUN --mount=target=. \
    echo -n "$(./hack/git-meta version)" | tee /tmp/.version ; echo -n "$(./hack/git-meta revision)" | tee /tmp/.revision
 FROM base AS build
 ARG PACKAGE
 RUN --mount=type=bind,target=. \
    --mount=type=cache,target=/root/.cache \
    --mount=type=cache,target=/go/pkg/mod \
    --mount=type=bind,from=osxcross,src=/osxsdk,target=/xx-sdk \
    --mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=version \
    --mount=type=bind,source=/tmp/.revision,target=/tmp/.revision,from=version <<EOT
  set -ex
  export MACOSX_VERSION_MIN=$(make print-MACOSX_DEPLOYMENT_TARGET)
  xx-go --wrap
  case "$(xx-info os)" in
    linux)
      make build-pass build-secretservice PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
      xx-verify /out/docker-credential-pass
      xx-verify /out/docker-credential-secretservice
      ;;
    darwin)
      go install std
      make build-osxkeychain build-pass PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
      xx-verify /out/docker-credential-osxkeychain
      xx-verify /out/docker-credential-pass
      ;;
    windows)
      make build-wincred PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
      mv /out/docker-credential-wincred /out/docker-credential-wincred.exe
      xx-verify /out/docker-credential-wincred.exe
      ;;
  esac
 EOT
 FROM scratch AS binaries
 COPY --from=build /out /
 FROM --platform=$BUILDPLATFORM alpine AS releaser
 WORKDIR /work
 ARG TARGETOS
 ARG TARGETARCH
 ARG TARGETVARIANT
 RUN --mount=from=binaries \
    --mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=version <<EOT
  set -e
  mkdir /out
  version="$(cat /tmp/.version)"
  [ "$TARGETOS" = "windows" ] && ext=".exe"
  for f in *; do
    cp "$f" "/out/${f%.*}-${version}.${TARGETOS}-${TARGETARCH}${TARGETVARIANT}${ext}"
  done
 EOT
 FROM scratch AS release
 COPY --from=releaser /out/ /
 FROM binaries
@@ -1,81 +0,0 @@
 pipeline {
    agent none
    options {
        checkoutToSubdirectory('src/github.com/docker/docker-credential-helpers')
    }
    stages {
        stage('build') {
            parallel {
                stage('linux') {
                    agent {
                        kubernetes {
                            label 'declarative'
                            containerTemplate {
                                name 'golang'
                                image 'golang:1.12.4'
                                ttyEnabled true
                                command 'cat'
                            }
                        }
                    }
                    environment {
                        GOPATH = pwd()
                        PATH   = "/usr/local/go/bin:${GOPATH}/bin:$PATH"
                    }
                    steps {
                        container('golang') {
                            dir('src/github.com/docker/docker-credential-helpers') {
                                sh 'apt-get update && apt-get install -y libsecret-1-dev pass'
                                sh 'make deps fmt lint test'
                                sh 'make pass secretservice'
                                archiveArtifacts 'bin/docker-credential-*'
                            }
                        }
                    }
                }
                stage('mac') {
                    agent {
                        label 'mac-build && go1.12.4'
                    }
                    environment {
                        PATH   = "/usr/local/go/bin:${GOPATH}/bin:$PATH"
                        GOPATH = pwd()
                    }
                    steps {
                        dir('src/github.com/docker/docker-credential-helpers') {
                            sh 'make deps fmt lint test'
                            sh 'make osxcodesign'
                            archiveArtifacts 'bin/docker-credential-*'
                        }
                    }
                }
                stage('windows') {
                    agent {
                        label 'win-build && go1.12.4'
                    }
                    environment {
                        GOPATH      = pwd()
                        PATH        = "${pwd()}/bin;$PATH"
                        PFX         = credentials('windows-build-pfx-sanitize')
                        PFXPASSWORD = credentials('windows-build-pfx-password')
                    }
                    steps {
                        dir('src/github.com/docker/docker-credential-helpers') {
                            sh 'echo ${PFX} | base64 -d > pfx'
                            sh 'make deps fmt lint test'
                            sh 'make wincred'
                            bat """ "C:\\Program Files (x86)\\Windows Kits\\10\\bin\\x86\\signtool.exe" sign /fd SHA256 /a /f pfx /p ${PFXPASSWORD} /d Docker /du https://www.docker.com /t http://timestamp.verisign.com/scripts/timestamp.dll bin\\docker-credential-wincred.exe """
                            archiveArtifacts 'bin/docker-credential-*'
                        }
                    }
                    post {
                        always {
                            sh 'rm -f pfx'
                        }
                    }
                }
            }
        }
    }
 }
@@ -1,82 +1,101 @@
-.PHONY: all deps osxkeychain secretservice test validate wincred pass deb
+PACKAGE ?= github.com/docker/docker-credential-helpers
 VERSION ?= $(shell ./hack/git-meta version)
 REVISION ?= $(shell ./hack/git-meta revision)
-TRAVIS_OS_NAME ?= linux
+GO_PKG = github.com/docker/docker-credential-helpers
-VERSION := $(shell grep 'const Version' credentials/version.go | awk -F'"' '{ print $$2 }')
+GO_LDFLAGS = -s -w -X ${GO_PKG}/credentials.Version=${VERSION} -X ${GO_PKG}/credentials.Revision=${REVISION} -X ${GO_PKG}/credentials.Package=${PACKAGE}
-all: test
+BUILDX_CMD ?= docker buildx
 DESTDIR ?= ./bin/build
 COVERAGEDIR ?= ./bin/coverage
-deps:
+# 10.11 is the minimum supported version for osxkeychain
-	go get -u golang.org/x/lint/golint
+export MACOSX_DEPLOYMENT_TARGET = 10.11
 ifeq "$(shell go env GOOS)" "darwin"
 	export CGO_CFLAGS = -Wno-atomic-alignment -mmacosx-version-min=$(MACOSX_DEPLOYMENT_TARGET)
 else
 	# prevent warnings; see https://github.com/docker/docker-credential-helpers/pull/340#issuecomment-2437593837
 	# gcc_libinit.c:44:8: error: large atomic operation may incur significant performance penalty; the access size (4 bytes) exceeds the max lock-free size (0  bytes) [-Werror,-Watomic-alignment]
 	export CGO_CFLAGS = -Wno-atomic-alignment
 endif
 ifeq "$(shell go env GOOS)/$(shell go env GOARCH)/$(shell go env GOARM)" "linux/arm/6"
 	# Neither the CGo compiler, nor the C toolchain automatically link to
 	# libatomic when the architecture doesn't support atomic intrinsics, as is
 	# the case for arm/v6.
 	#
 	# Here's the error we get when this is not done (see https://github.com/docker/docker-credential-helpers/pull/340#issuecomment-2437593837):
 	#
 	# gcc_libinit.c:44:8: error: large atomic operation may incur significant performance penalty; the access size (4 bytes) exceeds the max lock-free size (0  bytes) [-Werror,-Watomic-alignment]
 	export CGO_LDFLAGS=-latomic
 endif
 .PHONY: all
 all: cross
 .PHONY: clean
 clean:
 	rm -rf bin
 	rm -rf release
-osxkeychain:
+.PHONY: build-%
-	mkdir -p bin
+build-%: # build, can be one of build-osxkeychain build-pass build-secretservice build-wincred
-	go build -ldflags -s -o bin/docker-credential-osxkeychain osxkeychain/cmd/main_darwin.go
+	go build -trimpath -ldflags="$(GO_LDFLAGS) -X ${GO_PKG}/credentials.Name=docker-credential-$*" -o "$(DESTDIR)/docker-credential-$*" ./$*/cmd/
-osxcodesign: osxkeychain
+# aliases for build-* targets
-	$(eval SIGNINGHASH = $(shell security find-identity -v -p codesigning | grep "Developer ID Application: Docker Inc" | cut -d ' ' -f 4))
+.PHONY: osxkeychain secretservice pass wincred
-	xcrun -log codesign -s $(SIGNINGHASH) --force --verbose bin/docker-credential-osxkeychain
+osxkeychain: build-osxkeychain
-	xcrun codesign --verify --deep --strict --verbose=2 --display bin/docker-credential-osxkeychain
+secretservice: build-secretservice
 pass: build-pass
 wincred: build-wincred
-osxrelease: clean vet_osx lint fmt test osxcodesign
+.PHONY: cross
-	mkdir -p release
+cross: # cross build all supported credential helpers
-	@echo "\nPackaging version ${VERSION}\n"
+	$(BUILDX_CMD) bake binaries
 	cd bin && tar cvfz ../release/docker-credential-osxkeychain-v$(VERSION)-amd64.tar.gz docker-credential-osxkeychain
-secretservice:
+.PHONY: release
-	mkdir -p bin
+release: # create release
-	go build -o bin/docker-credential-secretservice secretservice/cmd/main_linux.go
+	./hack/release
 pass:
 	mkdir -p bin
 	go build -o bin/docker-credential-pass pass/cmd/main_linux.go
 wincred:
 	mkdir -p bin
 	go build -o bin/docker-credential-wincred.exe wincred/cmd/main_windows.go
 winrelease: clean vet_win lint fmt test wincred
 	mkdir -p release
 	@echo "\nPackaging version ${VERSION}\n"
 	cd bin && zip ../release/docker-credential-wincred-v$(VERSION)-amd64.zip docker-credential-wincred.exe
 .PHONY: test
 test:
-	# tests all packages except vendor
+	mkdir -p $(COVERAGEDIR)
-	go test -v `go list ./... | grep -v /vendor/`
+	go test -short -v -coverprofile=$(COVERAGEDIR)/coverage.txt -covermode=atomic ./...
-
+	go tool cover -func=$(COVERAGEDIR)/coverage.txt
 vet: vet_$(TRAVIS_OS_NAME)
 	go vet ./credentials
 vet_win:
 	go vet ./wincred
 vet_osx:
 	go vet ./osxkeychain
 vet_linux:
 	go vet ./secretservice
 .PHONY: lint
 lint:
-	for p in `go list ./... | grep -v /vendor/`; do \
+	$(BUILDX_CMD) bake lint
 		golint $$p ; \
 	done
 .PHONY: validate-vendor
 validate-vendor:
 	$(BUILDX_CMD) bake vendor-validate
 .PHONY: fmt
 fmt:
 	gofmt -s -l `ls **/*.go | grep -v vendor`
-validate: vet lint fmt
+.PHONY: validate
-
+validate: lint validate-vendor fmt
 BUILDIMG:=docker-credential-secretservice-$(VERSION)
 .PHONY: deb
 deb:
 	mkdir -p release
 	docker build -f deb/Dockerfile \
-		--build-arg VERSION=$(VERSION) \
+		--build-arg VERSION=$(patsubst v%,%,$(VERSION)) \
-		--build-arg DISTRO=xenial \
+		--build-arg REVISION=$(REVISION) \
 		--tag $(BUILDIMG) \
 		.
 	docker run --rm --net=none $(BUILDIMG) tar cf - /release | tar xf -
 	docker rmi $(BUILDIMG)
 .PHONY: vendor
 vendor:
 	$(eval $@_TMP_OUT := $(shell mktemp -d -t docker-output.XXXXXXXXXX))
 	$(BUILDX_CMD) bake --set "*.output=type=local,dest=$($@_TMP_OUT)" vendor
 	rm -rf ./vendor
 	cp -R "$($@_TMP_OUT)"/* .
 	rm -rf "$($@_TMP_OUT)"
 .PHONY: print-%
 print-%: ; @echo $($*)
@@ -1,3 +1,9 @@
 [![GitHub release](https://img.shields.io/github/release/docker/docker-credential-helpers.svg?style=flat-square)](https://github.com/docker/docker-credential-helpers/releases/latest)
 [![PkgGoDev](https://img.shields.io/badge/go.dev-docs-007d9c?style=flat-square&logo=go&logoColor=white)](https://pkg.go.dev/github.com/docker/docker-credential-helpers)
 [![Build Status](https://img.shields.io/github/actions/workflow/status/docker/docker-credential-helpers/build.yml?label=build&logo=github&style=flat-square)](https://github.com/docker/docker-credential-helpers/actions?query=workflow%3Abuild)
 [![Codecov](https://img.shields.io/codecov/c/github/docker/docker-credential-helpers?logo=codecov&style=flat-square)](https://codecov.io/gh/docker/docker-credential-helpers)
 [![Go Report Card](https://goreportcard.com/badge/github.com/docker/docker-credential-helpers?style=flat-square)](https://goreportcard.com/report/github.com/docker/docker-credential-helpers)
 ## Introduction
 docker-credential-helpers is a suite of programs to use native stores to keep Docker credentials safe.
@@ -6,30 +12,52 @@ docker-credential-helpers is a suite of programs to use native stores to keep Do
 Go to the [Releases](https://github.com/docker/docker-credential-helpers/releases) page and download the binary that works better for you. Put that binary in your `$PATH`, so Docker can find it.
-### Building from scratch
+## Building
-The programs in this repository are written with the Go programming language. These instructions assume that you have previous knowledge about the language and you have it installed in your machine.
+You can build the credential helpers using Docker:
-1 - Download the source and put it in your `$GOPATH` with `go get`.
+```shell
 # install emulators
 $ docker run --privileged --rm tonistiigi/binfmt --install all
-```
+# create builder
-$ go get github.com/docker/docker-credential-helpers
+$ docker buildx create --use
 # build credential helpers from remote repository and output to ./bin/build
 $ docker buildx bake "https://github.com/docker/docker-credential-helpers.git"
 # or from local source
 $ git clone https://github.com/docker/docker-credential-helpers.git
 $ cd docker-credential-helpers
 $ docker buildx bake
 ```
-2 - Use `make` to build the program you want. That will leave an executable in the `bin` directory inside the repository.
+Or if the toolchain is already installed on your machine:
 1. Download the source.
 ```shell
 $ git clone https://github.com/docker/docker-credential-helpers.git
 $ cd docker-credential-helpers
 ```
-$ cd $GOPATH/docker/docker-credentials-helpers
+
 2.  Use `make` to build the program you want. That will leave an executable in the `bin` directory inside the repository.
 ```shell
 $ make osxkeychain
 ```
-3 - Put that binary in your `$PATH`, so Docker can find it.
+3.  Put that binary in your `$PATH`, so Docker can find it.
 ```shell
 $ cp bin/build/docker-credential-osxkeychain /usr/local/bin/
 ```
 ## Usage
 ### With the Docker Engine
-Set the `credsStore` option in your `.docker/config.json` file with the suffix of the program you want to use. For instance, set it to `osxkeychain` if you want to use `docker-credential-osxkeychain`.
+Set the `credsStore` option in your `~/.docker/config.json` file with the suffix of the program you want to use. For instance, set it to `osxkeychain` if you want to use `docker-credential-osxkeychain`.
 ```json
 {
@@ -73,8 +101,8 @@ A credential helper can be any program that can read values from the standard in
 This repository also includes libraries to implement new credentials programs in Go. Adding a new helper program is pretty easy. You can see how the OS X keychain helper works in the [osxkeychain](osxkeychain) directory.
-1. Implement the interface `credentials.Helper` in `YOUR_PACKAGE/YOUR_PACKAGE_$GOOS.go`
+1. Implement the interface `credentials.Helper` in `YOUR_PACKAGE/`
-2. Create a main program in `YOUR_PACKAGE/cmd/main_$GOOS.go`.
+2. Create a main program in `YOUR_PACKAGE/cmd/`.
 3. Add make tasks to build your program and run tests.
 ## License
@@ -1,24 +0,0 @@
 image: Visual Studio 2015
 environment:
      GOPATH: c:\gopath
 stack: go 1.8.7
 clone_folder: c:\gopath\src\github.com\docker\docker-credential-helpers
 clone_depth: 10
 before_build:
  - set PATH=%PATH%;C:\MinGW\bin;
 build_script:
  - mingw32-make vet_win wincred
 test_script:
  - mingw32-make test
 deploy: off
 artifacts:
  - path: bin/docker-credential-wincred.exe
 configuration: Release
@@ -1,15 +0,0 @@
 set -ex
 mkdir bin
 case "$TRAVIS_OS_NAME" in
 	"osx")
 		go build -o bin/docker-credential-osxkeychain osxkeychain/cmd/main_darwin.go
 		cd bin
 		tar czf ../docker-credential-osxkeychain-${TRAVIS_TAG}-amd64.tar.gz docker-credential-osxkeychain
 		;;
 	"linux")
 		go build -o bin/docker-credential-secretservice secretservice/cmd/main_linux.go
 		cd bin
 		tar czf ../docker-credential-secretservice-${TRAVIS_TAG}-amd64.tar.gz docker-credential-secretservice
 		;;
 esac
@@ -16,17 +16,15 @@ func isValidCredsMessage(msg string) error {
 	if credentials.IsCredentialsMissingServerURLMessage(msg) {
 		return credentials.NewErrCredentialsMissingServerURL()
 	}
 	if credentials.IsCredentialsMissingUsernameMessage(msg) {
 		return credentials.NewErrCredentialsMissingUsername()
 	}
 	return nil
 }
 // Store uses an external program to save credentials.
 func Store(program ProgramFunc, creds *credentials.Credentials) error {
-	cmd := program("store")
+	cmd := program(credentials.ActionStore)
 	buffer := new(bytes.Buffer)
 	if err := json.NewEncoder(buffer).Encode(creds); err != nil {
@@ -36,13 +34,10 @@ func Store(program ProgramFunc, creds *credentials.Credentials) error {
 	out, err := cmd.Output()
 	if err != nil {
-		t := strings.TrimSpace(string(out))
+		if isValidErr := isValidCredsMessage(string(out)); isValidErr != nil {
 		if isValidErr := isValidCredsMessage(t); isValidErr != nil {
 			err = isValidErr
 		}
-
+		return fmt.Errorf("error storing credentials - err: %v, out: `%s`", err, strings.TrimSpace(string(out)))
 		return fmt.Errorf("error storing credentials - err: %v, out: `%s`", err, t)
 	}
 	return nil
@@ -50,22 +45,20 @@ func Store(program ProgramFunc, creds *credentials.Credentials) error {
 // Get executes an external program to get the credentials from a native store.
 func Get(program ProgramFunc, serverURL string) (*credentials.Credentials, error) {
-	cmd := program("get")
+	cmd := program(credentials.ActionGet)
 	cmd.Input(strings.NewReader(serverURL))
 	out, err := cmd.Output()
 	if err != nil {
-		t := strings.TrimSpace(string(out))
+		if credentials.IsErrCredentialsNotFoundMessage(string(out)) {
 		if credentials.IsErrCredentialsNotFoundMessage(t) {
 			return nil, credentials.NewErrCredentialsNotFound()
 		}
-		if isValidErr := isValidCredsMessage(t); isValidErr != nil {
+		if isValidErr := isValidCredsMessage(string(out)); isValidErr != nil {
 			err = isValidErr
 		}
-		return nil, fmt.Errorf("error getting credentials - err: %v, out: `%s`", err, t)
+		return nil, fmt.Errorf("error getting credentials - err: %v, out: `%s`", err, strings.TrimSpace(string(out)))
 	}
 	resp := &credentials.Credentials{
@@ -81,7 +74,7 @@ func Get(program ProgramFunc, serverURL string) (*credentials.Credentials, error
 // Erase executes a program to remove the server credentials from the native store.
 func Erase(program ProgramFunc, serverURL string) error {
-	cmd := program("erase")
+	cmd := program(credentials.ActionErase)
 	cmd.Input(strings.NewReader(serverURL))
 	out, err := cmd.Output()
 	if err != nil {
@@ -99,7 +92,7 @@ func Erase(program ProgramFunc, serverURL string) error {
 // List executes a program to list server credentials in the native store.
 func List(program ProgramFunc) (map[string]string, error) {
-	cmd := program("list")
+	cmd := program(credentials.ActionList)
 	cmd.Input(strings.NewReader("unused"))
 	out, err := cmd.Output()
 	if err != nil {
@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"strings"
 	"testing"
@@ -12,27 +11,27 @@ import (
 )
 const (
-	validServerAddress   = "https://index.docker.io/v1"
+	validServerAddress   = "https://registry.example.com/v1"
 	validUsername        = "linus"
 	validServerAddress2  = "https://example.com:5002"
 	invalidServerAddress = "https://foobar.example.com"
-	missingCredsAddress  = "https://missing.docker.io/v1"
+	missingCredsAddress  = "https://missing.example.com/v1"
 )
 var errProgramExited = fmt.Errorf("exited 1")
 // mockProgram simulates interactions between the docker client and a remote
-// credentials helper.
+// credentials-helper.
 // Unit tests inject this mocked command into the remote to control execution.
 type mockProgram struct {
 	arg   string
 	input io.Reader
 }
-// Output returns responses from the remote credentials helper.
+// Output returns responses from the remote credentials-helper.
 // It mocks those responses based in the input in the mock.
 func (m *mockProgram) Output() ([]byte, error) {
-	in, err := ioutil.ReadAll(m.input)
+	in, err := io.ReadAll(m.input)
 	if err != nil {
 		return nil, err
 	}
@@ -81,7 +80,7 @@ func (m *mockProgram) Output() ([]byte, error) {
 	return []byte(fmt.Sprintf("unknown argument %q with %q", m.arg, inS)), errProgramExited
 }
-// Input sets the input to send to a remote credentials helper.
+// Input sets the input to send to a remote credentials-helper.
 func (m *mockProgram) Input(in io.Reader) {
 	m.input = in
 }
@@ -93,57 +92,57 @@ func mockProgramFn(args ...string) Program {
 }
 func ExampleStore() {
-	p := NewShellProgramFunc("docker-credential-secretservice")
+	p := NewShellProgramFunc("docker-credential-pass")
 	c := &credentials.Credentials{
-		ServerURL: "https://example.com",
+		ServerURL: "https://registry.example.com",
-		Username:  "calavera",
+		Username:  "exampleuser",
 		Secret:    "my super secret token",
 	}
 	if err := Store(p, c); err != nil {
-		fmt.Println(err)
+		_, _ = fmt.Println(err)
 	}
 }
 func TestStore(t *testing.T) {
 	valid := []credentials.Credentials{
-		{validServerAddress, "foo", "bar"},
+		{ServerURL: validServerAddress, Username: "foo", Secret: "bar"},
-		{validServerAddress2, "<token>", "abcd1234"},
+		{ServerURL: validServerAddress2, Username: "<token>", Secret: "abcd1234"},
 	}
 	for _, v := range valid {
 		if err := Store(mockProgramFn, &v); err != nil {
-			t.Fatal(err)
+			t.Error(err)
 		}
 	}
 	invalid := []credentials.Credentials{
-		{invalidServerAddress, "foo", "bar"},
+		{ServerURL: invalidServerAddress, Username: "foo", Secret: "bar"},
 	}
 	for _, v := range invalid {
 		if err := Store(mockProgramFn, &v); err == nil {
-			t.Fatalf("Expected error for server %s, got nil", v.ServerURL)
+			t.Errorf("Expected error for server %s, got nil", v.ServerURL)
 		}
 	}
 }
 func ExampleGet() {
-	p := NewShellProgramFunc("docker-credential-secretservice")
+	p := NewShellProgramFunc("docker-credential-pass")
-	creds, err := Get(p, "https://example.com")
+	creds, err := Get(p, "https://registry.example.com")
 	if err != nil {
-		fmt.Println(err)
+		_, _ = fmt.Println(err)
 	}
-	fmt.Printf("Got credentials for user `%s` in `%s`\n", creds.Username, creds.ServerURL)
+	_, _ = fmt.Printf("Got credentials for user `%s` in `%s`\n", creds.Username, creds.ServerURL)
 }
 func TestGet(t *testing.T) {
 	valid := []credentials.Credentials{
-		{validServerAddress, "foo", "bar"},
+		{ServerURL: validServerAddress, Username: "foo", Secret: "bar"},
-		{validServerAddress2, "<token>", "abcd1234"},
+		{ServerURL: validServerAddress2, Username: "<token>", Secret: "abcd1234"},
 	}
 	for _, v := range valid {
@@ -153,10 +152,10 @@ func TestGet(t *testing.T) {
 		}
 		if c.Username != v.Username {
-			t.Fatalf("expected username `%s`, got %s", v.Username, c.Username)
+			t.Errorf("expected username `%s`, got %s", v.Username, c.Username)
 		}
 		if c.Secret != v.Secret {
-			t.Fatalf("expected secret `%s`, got %s", v.Secret, c.Secret)
+			t.Errorf("expected secret `%s`, got %s", v.Secret, c.Secret)
 		}
 	}
@@ -166,10 +165,17 @@ func TestGet(t *testing.T) {
 		serverURL string
 		err       string
 	}{
-		{missingCredsAddress, credentials.NewErrCredentialsNotFound().Error()},
+		{
-		{invalidServerAddress, "error getting credentials - err: exited 1, out: `program failed`"},
+			serverURL: missingCredsAddress,
-		{"", fmt.Sprintf("error getting credentials - err: %s, out: `%s`",
+			err:       credentials.NewErrCredentialsNotFound().Error(),
-			missingServerURLErr.Error(), missingServerURLErr.Error())},
+		},
 		{
 			serverURL: invalidServerAddress,
 			err:       "error getting credentials - err: exited 1, out: `program failed`",
 		},
 		{
 			err: fmt.Sprintf("error getting credentials - err: %s, out: `%s`", missingServerURLErr.Error(), missingServerURLErr.Error()),
 		},
 	}
 	for _, v := range invalid {
@@ -178,26 +184,26 @@ func TestGet(t *testing.T) {
 			t.Fatalf("Expected error for server %s, got nil", v.serverURL)
 		}
 		if err.Error() != v.err {
-			t.Fatalf("Expected error `%s`, got `%v`", v.err, err)
+			t.Errorf("Expected error `%s`, got `%v`", v.err, err)
 		}
 	}
 }
 func ExampleErase() {
-	p := NewShellProgramFunc("docker-credential-secretservice")
+	p := NewShellProgramFunc("docker-credential-pass")
-	if err := Erase(p, "https://example.com"); err != nil {
+	if err := Erase(p, "https://registry.example.com"); err != nil {
-		fmt.Println(err)
+		_, _ = fmt.Println(err)
 	}
 }
 func TestErase(t *testing.T) {
 	if err := Erase(mockProgramFn, validServerAddress); err != nil {
-		t.Fatal(err)
+		t.Error(err)
 	}
 	if err := Erase(mockProgramFn, invalidServerAddress); err == nil {
-		t.Fatalf("Expected error for server %s, got nil", invalidServerAddress)
+		t.Errorf("Expected error for server %s, got nil", invalidServerAddress)
 	}
 }
@@ -208,6 +214,6 @@ func TestList(t *testing.T) {
 	}
 	if username, exists := auths[validServerAddress]; !exists || username != validUsername {
-		t.Fatalf("auths[%s] returned %s, %t; expected %s, %t", validServerAddress, username, exists, validUsername, true)
+		t.Errorf("auths[%s] returned %s, %t; expected %s, %t", validServerAddress, username, exists, validUsername, true)
 	}
 }
@@ -1,7 +1,6 @@
 package client
 import (
 	"fmt"
 	"io"
 	"os"
 	"os/exec"
@@ -16,41 +15,43 @@ type Program interface {
 // ProgramFunc is a type of function that initializes programs based on arguments.
 type ProgramFunc func(args ...string) Program
-// NewShellProgramFunc creates programs that are executed in a Shell.
+// NewShellProgramFunc creates a [ProgramFunc] to run command in a [Shell].
-func NewShellProgramFunc(name string) ProgramFunc {
+func NewShellProgramFunc(command string) ProgramFunc {
 	return NewShellProgramFuncWithEnv(name, nil)
 }
 // NewShellProgramFuncWithEnv creates programs that are executed in a Shell with environment variables
 func NewShellProgramFuncWithEnv(name string, env *map[string]string) ProgramFunc {
 	return func(args ...string) Program {
-		return &Shell{cmd: createProgramCmdRedirectErr(name, args, env)}
+		return createProgramCmdRedirectErr(command, args, nil)
 	}
 }
-func createProgramCmdRedirectErr(commandName string, args []string, env *map[string]string) *exec.Cmd {
+// NewShellProgramFuncWithEnv creates a [ProgramFunc] tu run command
-	programCmd := exec.Command(commandName, args...)
+// in a [Shell] with the given environment variables.
-	programCmd.Env = os.Environ()
+func NewShellProgramFuncWithEnv(command string, env *map[string]string) ProgramFunc {
 	return func(args ...string) Program {
 		return createProgramCmdRedirectErr(command, args, env)
 	}
 }
 func createProgramCmdRedirectErr(command string, args []string, env *map[string]string) *Shell {
 	ec := exec.Command(command, args...)
 	if env != nil {
 		for k, v := range *env {
-			programCmd.Env = append(programCmd.Env, fmt.Sprintf("%s=%s", k, v))
+			ec.Env = append(ec.Environ(), k+"="+v)
 		}
 	}
-	programCmd.Stderr = os.Stderr
+	ec.Stderr = os.Stderr
-	return programCmd
+	return &Shell{cmd: ec}
 }
-// Shell invokes shell commands to talk with a remote credentials helper.
+// Shell invokes shell commands to talk with a remote credentials-helper.
 type Shell struct {
 	cmd *exec.Cmd
 }
-// Output returns responses from the remote credentials helper.
+// Output returns responses from the remote credentials-helper.
 func (s *Shell) Output() ([]byte, error) {
 	return s.cmd.Output()
 }
-// Input sets the input to send to a remote credentials helper.
+// Input sets the input to send to a remote credentials-helper.
 func (s *Shell) Input(in io.Reader) {
 	s.cmd.Stdin = in
 }
@@ -10,6 +10,20 @@ import (
 	"strings"
 )
 // Action defines the name of an action (sub-command) supported by a
 // credential-helper binary. It is an alias for "string", and mostly
 // for convenience.
 type Action = string
 // List of actions (sub-commands) supported by credential-helper binaries.
 const (
 	ActionStore   Action = "store"
 	ActionGet     Action = "get"
 	ActionErase   Action = "erase"
 	ActionList    Action = "list"
 	ActionVersion Action = "version"
 )
 // Credentials holds the information shared between docker and the credentials store.
 type Credentials struct {
 	ServerURL string
@@ -43,42 +57,52 @@ func SetCredsLabel(label string) {
 	CredsLabel = label
 }
-// Serve initializes the credentials helper and parses the action argument.
+// Serve initializes the credentials-helper and parses the action argument.
 // This function is designed to be called from a command line interface.
 // It uses os.Args[1] as the key for the action.
 // It uses os.Stdin as input and os.Stdout as output.
 // This function terminates the program with os.Exit(1) if there is an error.
 func Serve(helper Helper) {
 	var err error
 	if len(os.Args) != 2 {
-		err = fmt.Errorf("Usage: %s <store|get|erase|list|version>", os.Args[0])
+		_, _ = fmt.Fprintln(os.Stdout, usage())
 		os.Exit(1)
 	}
-	if err == nil {
+	switch os.Args[1] {
-		err = HandleCommand(helper, os.Args[1], os.Stdin, os.Stdout)
+	case "--version", "-v":
 		_ = PrintVersion(os.Stdout)
 		os.Exit(0)
 	case "--help", "-h":
 		_, _ = fmt.Fprintln(os.Stdout, usage())
 		os.Exit(0)
 	}
-	if err != nil {
+	if err := HandleCommand(helper, os.Args[1], os.Stdin, os.Stdout); err != nil {
-		fmt.Fprintf(os.Stdout, "%v\n", err)
+		_, _ = fmt.Fprintln(os.Stdout, err)
 		os.Exit(1)
 	}
 }
-// HandleCommand uses a helper and a key to run a credential action.
+func usage() string {
-func HandleCommand(helper Helper, key string, in io.Reader, out io.Writer) error {
+	return fmt.Sprintf("Usage: %s <store|get|erase|list|version>", Name)
-	switch key {
+}
-	case "store":
+
-		return Store(helper, in)
+// HandleCommand runs a helper to execute a credential action.
-	case "get":
+func HandleCommand(helper Helper, action Action, in io.Reader, out io.Writer) error {
-		return Get(helper, in, out)
+	switch action {
-	case "erase":
+	case ActionStore:
-		return Erase(helper, in)
+		return Store(helper, in)
-	case "list":
+	case ActionGet:
-		return List(helper, out)
+		return Get(helper, in, out)
-	case "version":
+	case ActionErase:
-		return PrintVersion(out)
+		return Erase(helper, in)
 	case ActionList:
 		return List(helper, out)
 	case ActionVersion:
 		return PrintVersion(out)
 	default:
 		return fmt.Errorf("%s: unknown action: %s", Name, action)
 	}
 	return fmt.Errorf("Unknown credential action `%s`", key)
 }
 // Store uses a helper and an input reader to save credentials.
@@ -132,18 +156,17 @@ func Get(helper Helper, reader io.Reader, writer io.Writer) error {
 		return err
 	}
-	resp := Credentials{
+	buffer.Reset()
 	err = json.NewEncoder(buffer).Encode(Credentials{
 		ServerURL: serverURL,
 		Username:  username,
 		Secret:    secret,
-	}
+	})
-
+	if err != nil {
 	buffer.Reset()
 	if err := json.NewEncoder(buffer).Encode(resp); err != nil {
 		return err
 	}
-	fmt.Fprint(writer, buffer.String())
+	_, _ = fmt.Fprint(writer, buffer.String())
 	return nil
 }
@@ -181,6 +204,6 @@ func List(helper Helper, writer io.Writer) error {
 // PrintVersion outputs the current version.
 func PrintVersion(writer io.Writer) error {
-	fmt.Fprintln(writer, Version)
+	_, _ = fmt.Fprintf(writer, "%s (%s) %s\n", Name, Package, Version)
 	return nil
 }
@@ -42,7 +42,7 @@ func (m *memoryStore) List() (map[string]string, error) {
 }
 func TestStore(t *testing.T) {
-	serverURL := "https://index.docker.io/v1/"
+	const serverURL = "https://registry.example.com/v1/"
 	creds := &Credentials{
 		ServerURL: serverURL,
 		Username:  "foo",
@@ -65,11 +65,11 @@ func TestStore(t *testing.T) {
 	}
 	if c.Username != "foo" {
-		t.Fatalf("expected username foo, got %s\n", c.Username)
+		t.Errorf("expected username foo, got %s\n", c.Username)
 	}
 	if c.Secret != "bar" {
-		t.Fatalf("expected username bar, got %s\n", c.Secret)
+		t.Errorf("expected username bar, got %s\n", c.Secret)
 	}
 }
@@ -88,14 +88,14 @@ func TestStoreMissingServerURL(t *testing.T) {
 	h := newMemoryStore()
-	if err := Store(h, in); IsCredentialsMissingServerURL(err) == false {
+	if err := Store(h, in); !IsCredentialsMissingServerURL(err) {
-		t.Fatal(err)
+		t.Error(err)
 	}
 }
 func TestStoreMissingUsername(t *testing.T) {
 	creds := &Credentials{
-		ServerURL: "https://index.docker.io/v1/",
+		ServerURL: "https://registry.example.com/v1/",
 		Username:  "",
 		Secret:    "bar",
 	}
@@ -108,13 +108,13 @@ func TestStoreMissingUsername(t *testing.T) {
 	h := newMemoryStore()
-	if err := Store(h, in); IsCredentialsMissingUsername(err) == false {
+	if err := Store(h, in); !IsCredentialsMissingUsername(err) {
-		t.Fatal(err)
+		t.Error(err)
 	}
 }
 func TestGet(t *testing.T) {
-	serverURL := "https://index.docker.io/v1/"
+	const serverURL = "https://registry.example.com/v1/"
 	creds := &Credentials{
 		ServerURL: serverURL,
 		Username:  "foo",
@@ -147,16 +147,16 @@ func TestGet(t *testing.T) {
 	}
 	if c.Username != "foo" {
-		t.Fatalf("expected username foo, got %s\n", c.Username)
+		t.Errorf("expected username foo, got %s\n", c.Username)
 	}
 	if c.Secret != "bar" {
-		t.Fatalf("expected username bar, got %s\n", c.Secret)
+		t.Errorf("expected username bar, got %s\n", c.Secret)
 	}
 }
 func TestGetMissingServerURL(t *testing.T) {
-	serverURL := "https://index.docker.io/v1/"
+	const serverURL = "https://registry.example.com/v1/"
 	creds := &Credentials{
 		ServerURL: serverURL,
 		Username:  "foo",
@@ -176,13 +176,13 @@ func TestGetMissingServerURL(t *testing.T) {
 	buf := strings.NewReader("")
 	w := new(bytes.Buffer)
-	if err := Get(h, buf, w); IsCredentialsMissingServerURL(err) == false {
+	if err := Get(h, buf, w); !IsCredentialsMissingServerURL(err) {
-		t.Fatal(err)
+		t.Error(err)
 	}
 }
 func TestErase(t *testing.T) {
-	serverURL := "https://index.docker.io/v1/"
+	const serverURL = "https://registry.example.com/v1/"
 	creds := &Credentials{
 		ServerURL: serverURL,
 		Username:  "foo",
@@ -206,12 +206,12 @@ func TestErase(t *testing.T) {
 	w := new(bytes.Buffer)
 	if err := Get(h, buf, w); err == nil {
-		t.Fatal("expected error getting missing creds, got empty")
+		t.Error("expected error getting missing creds, got empty")
 	}
 }
 func TestEraseMissingServerURL(t *testing.T) {
-	serverURL := "https://index.docker.io/v1/"
+	const serverURL = "https://registry.example.com/v1/"
 	creds := &Credentials{
 		ServerURL: serverURL,
 		Username:  "foo",
@@ -229,8 +229,8 @@ func TestEraseMissingServerURL(t *testing.T) {
 	}
 	buf := strings.NewReader("")
-	if err := Erase(h, buf); IsCredentialsMissingServerURL(err) == false {
+	if err := Erase(h, buf); !IsCredentialsMissingServerURL(err) {
-		t.Fatal(err)
+		t.Error(err)
 	}
 }
@@ -244,6 +244,6 @@ func TestList(t *testing.T) {
 	}
 	// testing that there is an output
 	if out.Len() == 0 {
-		t.Fatalf("expected output in the writer, got %d", 0)
+		t.Error("expected output in the writer, got 0")
 	}
 }
@@ -1,5 +1,10 @@
 package credentials
 import (
 	"errors"
 	"strings"
 )
 const (
 	// ErrCredentialsNotFound standardizes the not found error, so every helper returns
 	// the same message and docker can handle it properly.
@@ -21,6 +26,11 @@ func (errCredentialsNotFound) Error() string {
 	return errCredentialsNotFoundMessage
 }
 // NotFound implements the [ErrNotFound][errdefs.ErrNotFound] interface.
 //
 // [errdefs.ErrNotFound]: https://pkg.go.dev/github.com/docker/docker@v24.0.1+incompatible/errdefs#ErrNotFound
 func (errCredentialsNotFound) NotFound() {}
 // NewErrCredentialsNotFound creates a new error
 // for when the credentials are not in the store.
 func NewErrCredentialsNotFound() error {
@@ -30,8 +40,8 @@ func NewErrCredentialsNotFound() error {
 // IsErrCredentialsNotFound returns true if the error
 // was caused by not having a set of credentials in a store.
 func IsErrCredentialsNotFound(err error) bool {
-	_, ok := err.(errCredentialsNotFound)
+	var target errCredentialsNotFound
-	return ok
+	return errors.As(err, &target)
 }
 // IsErrCredentialsNotFoundMessage returns true if the error
@@ -40,7 +50,7 @@ func IsErrCredentialsNotFound(err error) bool {
 // This function helps to check messages returned by an
 // external program via its standard output.
 func IsErrCredentialsNotFoundMessage(err string) bool {
-	return err == errCredentialsNotFoundMessage
+	return strings.TrimSpace(err) == errCredentialsNotFoundMessage
 }
 // errCredentialsMissingServerURL represents an error raised
@@ -53,6 +63,12 @@ func (errCredentialsMissingServerURL) Error() string {
 	return errCredentialsMissingServerURLMessage
 }
 // InvalidParameter implements the [ErrInvalidParameter][errdefs.ErrInvalidParameter]
 // interface.
 //
 // [errdefs.ErrInvalidParameter]: https://pkg.go.dev/github.com/docker/docker@v24.0.1+incompatible/errdefs#ErrInvalidParameter
 func (errCredentialsMissingServerURL) InvalidParameter() {}
 // errCredentialsMissingUsername represents an error raised
 // when the credentials object has no username or when no
 // username is provided to a credentials operation requiring
@@ -63,6 +79,12 @@ func (errCredentialsMissingUsername) Error() string {
 	return errCredentialsMissingUsernameMessage
 }
 // InvalidParameter implements the [ErrInvalidParameter][errdefs.ErrInvalidParameter]
 // interface.
 //
 // [errdefs.ErrInvalidParameter]: https://pkg.go.dev/github.com/docker/docker@v24.0.1+incompatible/errdefs#ErrInvalidParameter
 func (errCredentialsMissingUsername) InvalidParameter() {}
 // NewErrCredentialsMissingServerURL creates a new error for
 // errCredentialsMissingServerURL.
 func NewErrCredentialsMissingServerURL() error {
@@ -78,25 +100,25 @@ func NewErrCredentialsMissingUsername() error {
 // IsCredentialsMissingServerURL returns true if the error
 // was an errCredentialsMissingServerURL.
 func IsCredentialsMissingServerURL(err error) bool {
-	_, ok := err.(errCredentialsMissingServerURL)
+	var target errCredentialsMissingServerURL
-	return ok
+	return errors.As(err, &target)
 }
 // IsCredentialsMissingServerURLMessage checks for an
 // errCredentialsMissingServerURL in the error message.
 func IsCredentialsMissingServerURLMessage(err string) bool {
-	return err == errCredentialsMissingServerURLMessage
+	return strings.TrimSpace(err) == errCredentialsMissingServerURLMessage
 }
 // IsCredentialsMissingUsername returns true if the error
 // was an errCredentialsMissingUsername.
 func IsCredentialsMissingUsername(err error) bool {
-	_, ok := err.(errCredentialsMissingUsername)
+	var target errCredentialsMissingUsername
-	return ok
+	return errors.As(err, &target)
 }
 // IsCredentialsMissingUsernameMessage checks for an
 // errCredentialsMissingUsername in the error message.
 func IsCredentialsMissingUsernameMessage(err string) bool {
-	return err == errCredentialsMissingUsernameMessage
+	return strings.TrimSpace(err) == errCredentialsMissingUsernameMessage
 }
@@ -1,4 +1,16 @@
 package credentials
-// Version holds a string describing the current version
+var (
-const Version = "0.6.3"
+	// Name is filled at linking time
 	Name = ""
 	// Package is filled at linking time
 	Package = "github.com/docker/docker-credential-helpers"
 	// Version holds the complete version number. Filled in at linking time.
 	Version = "v0.0.0+unknown"
 	// Revision is filled with the VCS (e.g. git) revision being used to build
 	// the program at linking time.
 	Revision = ""
 )
@@ -1,13 +1,21 @@
-FROM ubuntu:xenial
+# syntax=docker/dockerfile:1
-ARG VERSION
+ARG GO_VERSION=1.25.7
-ARG DISTRO
+ARG DISTRO=ubuntu
 ARG SUITE=jammy
-RUN apt-get update && apt-get install -yy debhelper dh-make golang-go libsecret-1-dev
+FROM golang:${GO_VERSION}-bookworm AS golang
 FROM ${DISTRO}:${SUITE}
 RUN apt-get update && apt-get install -yy debhelper dh-make libsecret-1-dev
 RUN mkdir -p /build
 WORKDIR /build
-ENV GOPATH /build
+ENV GOPROXY=https://proxy.golang.org|direct
 ENV GO111MODULE=off
 ENV GOPATH=/build
 ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
 COPY --from=golang /usr/local/go /usr/local/go
 COPY Makefile .
 COPY credentials credentials
@@ -16,4 +24,12 @@ COPY pass pass
 COPY deb/debian ./debian
 COPY deb/build-deb .
-RUN /build/build-deb ${VERSION} ${DISTRO}
+ARG VERSION
 ENV VERSION=${VERSION}
 ARG REVISION
 ENV REVISION=${REVISION}
 ARG DISTRO
 ENV DISTRO=${DISTRO}
 ARG SUITE
 ENV SUITE=${SUITE}
 RUN /build/build-deb
@@ -1,14 +1,10 @@
 #!/usr/bin/env bash
-set -x
+set -ex
 set -e
 version=$1
 distro=$2
 maintainer=$(awk -F ': ' '$1 == "Maintainer" { print $2; exit }' debian/control)
 cat > "debian/changelog" <<-EOF
-docker-credential-helpers ($version) $DISTRO; urgency=low
+docker-credential-helpers ($VERSION) $DISTRO-$SUITE; urgency=low
  * New upstream version
@@ -3,7 +3,8 @@
 DESTDIR := $(CURDIR)/debian/tmp
 override_dh_auto_build:
-	make secretservice pass
+	make build-secretservice DESTDIR=bin
 	make build-pass DESTDIR=bin
 override_dh_auto_install:
 	install -D bin/docker-credential-secretservice $(DESTDIR)/usr/bin/docker-credential-secretservice
@@ -0,0 +1,74 @@
 variable "GO_VERSION" {
  default = null
 }
 # Defines the output folder
 variable "DESTDIR" {
  default = ""
 }
 function "bindir" {
  params = [defaultdir]
  result = DESTDIR != "" ? DESTDIR : "./bin/${defaultdir}"
 }
 target "_common" {
  args = {
    GO_VERSION = GO_VERSION
  }
 }
 group "default" {
  targets = ["binaries"]
 }
 group "validate" {
  targets = ["lint", "vendor-validate"]
 }
 target "lint" {
  inherits = ["_common"]
  target = "lint"
  output = ["type=cacheonly"]
 }
 target "vendor-validate" {
  inherits = ["_common"]
  target = "vendor-validate"
  output = ["type=cacheonly"]
 }
 target "vendor" {
  inherits = ["_common"]
  target = "vendor-update"
  output = ["."]
 }
 target "test" {
  inherits = ["_common"]
  target = "test-coverage"
  output = [bindir("coverage")]
 }
 target "binaries" {
  inherits = ["_common"]
  target = "binaries"
  output = [bindir("build")]
  platforms = [
    "darwin/amd64",
    "darwin/arm64",
    "linux/amd64",
    "linux/arm64",
    "linux/arm/v7",
    "linux/arm/v6",
    "linux/ppc64le",
    "linux/s390x",
    "windows/amd64",
    "windows/arm64"
  ]
 }
 target "release" {
  inherits = ["binaries"]
  target = "release"
  output = [bindir("release")]
 }
@@ -0,0 +1,15 @@
 module github.com/docker/docker-credential-helpers
 go 1.21
 retract (
 	v0.9.1 // osxkeychain: a regression caused backward-incompatibility with earlier versions
 	v0.9.0 // osxkeychain: a regression caused backward-incompatibility with earlier versions
 )
 require (
 	github.com/danieljoos/wincred v1.2.3
 	github.com/keybase/go-keychain v0.0.1
 )
 require golang.org/x/sys v0.20.0 // indirect
@@ -0,0 +1,16 @@
 github.com/danieljoos/wincred v1.2.3 h1:v7dZC2x32Ut3nEfRH+vhoZGvN72+dQ/snVXo/vMFLdQ=
 github.com/danieljoos/wincred v1.2.3/go.mod h1:6qqX0WNrS4RzPZ1tnroDzq9kY3fu1KwE7MRLQK4X0bs=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU=
 github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -0,0 +1,16 @@
 #!/usr/bin/env sh
 set -e
 case $1 in
 	"version")
 		git describe --match 'v[0-9]*' --dirty='.m' --always --tags
 		;;
 	"revision")
 		echo "$(git rev-parse HEAD)$(if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi)"
 		;;
 	*)
 		echo "usage: ./hack/git-meta <version|revision>"
 		exit 1
 		;;
 esac
@@ -0,0 +1,59 @@
 #!/usr/bin/env bash
 set -e
 : "${BUILDX_CMD=docker buildx}"
 : "${DESTDIR=./bin/release}"
 : "${CACHE_FROM=}"
 : "${CACHE_TO=}"
 : "${SIGN=}"
 : "${PFX=}"
 : "${PFXPASSWORD=}"
 if [ -n "$CACHE_FROM" ]; then
 	for cfrom in $CACHE_FROM; do
 		cacheFlags+=(--set "*.cache-from=$cfrom")
 	done
 fi
 if [ -n "$CACHE_TO" ]; then
 	for cto in $CACHE_TO; do
 		cacheFlags+=(--set "*.cache-to=$cto")
 	done
 fi
 dockerpfx=$(mktemp -t dockercredhelper-pfx.XXXXXXXXXX)
 function clean {
 	rm -f "$dockerpfx"
 }
 trap clean EXIT
 # release
 (
 	set -x
 	${BUILDX_CMD} bake "${cacheFlags[@]}" --set "*.output=$DESTDIR" release
 )
 # wrap binaries
 mv -f ./${DESTDIR}/**/* ./${DESTDIR}/
 find ./${DESTDIR} -type d -empty -delete
 # sign binaries
 if [ -n "$SIGN" ]; then
 	for f in "${DESTDIR}"/*".darwin-"*; do
 		SIGNINGHASH=$(security find-identity -v -p codesigning | grep "Developer ID Application: Docker Inc" | cut -d ' ' -f 4)
 		xcrun -log codesign -s "$SIGNINGHASH" --force --verbose "$f"
 		xcrun codesign --verify --deep --strict --verbose=2 --display "$f"
 	done
 	for f in "${DESTDIR}"/*".windows-"*; do
 		echo ${PFX} | base64 -d > "$dockerpfx"
 		signtool sign /fd SHA256 /a /f pfx /p ${PFXPASSWORD} /d Docker /du https://www.docker.com /t http://timestamp.verisign.com/scripts/timestamp.dll "$f"
 	done
 fi
 # checksums
 (
  cd ${DESTDIR}
  sha256sum -b docker-credential-* > ./checksums.txt
  sha256sum -c --strict checksums.txt
 )
@@ -1,3 +1,5 @@
 //go:build darwin && cgo
 package main
 import (
@@ -0,0 +1,182 @@
 //go:build darwin && cgo
 package osxkeychain
 /*
 #cgo LDFLAGS: -framework Security -framework CoreFoundation
 #include <CoreFoundation/CoreFoundation.h>
 #include <Security/Security.h>
 */
 import "C"
 import (
 	"errors"
 	"net"
 	"net/url"
 	"strconv"
 	"github.com/docker/docker-credential-helpers/credentials"
 	"github.com/docker/docker-credential-helpers/registryurl"
 	"github.com/keybase/go-keychain"
 )
 // https://opensource.apple.com/source/Security/Security-55471/sec/Security/SecBase.h.auto.html
 const (
 	// errCredentialsNotFound is the specific error message returned by OS X
 	// when the credentials are not in the keychain.
 	errCredentialsNotFound = "The specified item could not be found in the keychain. (-25300)"
 	// errInteractionNotAllowed is the specific error message returned by OS X
 	// when environment does not allow showing dialog to unlock keychain.
 	errInteractionNotAllowed = "User interaction is not allowed. (-25308)"
 )
 // ErrInteractionNotAllowed is returned if keychain password prompt can not be shown.
 var ErrInteractionNotAllowed = errors.New(`keychain cannot be accessed because the current session does not allow user interaction. The keychain may be locked; unlock it by running "security -v unlock-keychain ~/Library/Keychains/login.keychain-db" and try again`)
 // Osxkeychain handles secrets using the OS X Keychain as store.
 type Osxkeychain struct{}
 // Add adds new credentials to the keychain.
 func (h Osxkeychain) Add(creds *credentials.Credentials) error {
 	_ = h.Delete(creds.ServerURL) // ignore errors as existing credential may not exist.
 	item := keychain.NewItem()
 	item.SetSecClass(keychain.SecClassInternetPassword)
 	item.SetLabel(credentials.CredsLabel)
 	item.SetAccount(creds.Username)
 	item.SetData([]byte(creds.Secret))
 	// Prior to v0.9, the credential helper was searching for credentials with
 	// the "dflt" authentication type (see [1]). Since v0.9.0, Get doesn't use
 	// that attribute anymore, and v0.9.0 - v0.9.2 were not setting it here
 	// either.
 	//
 	// In order to keep compatibility with older versions, we need to store
 	// credentials with this attribute set. This way, credentials stored with
 	// newer versions can be retrieved by older versions.
 	//
 	// [1]: https://github.com/docker/docker-credential-helpers/blob/v0.8.2/osxkeychain/osxkeychain.c#L66
 	item.SetAuthenticationType("dflt")
 	if err := splitServer(creds.ServerURL, item); err != nil {
 		return err
 	}
 	return keychain.AddItem(item)
 }
 // Delete removes credentials from the keychain.
 func (h Osxkeychain) Delete(serverURL string) error {
 	item := keychain.NewItem()
 	item.SetSecClass(keychain.SecClassInternetPassword)
 	if err := splitServer(serverURL, item); err != nil {
 		return err
 	}
 	if err := keychain.DeleteItem(item); err != nil {
 		switch err.Error() {
 		case errCredentialsNotFound:
 			return credentials.NewErrCredentialsNotFound()
 		case errInteractionNotAllowed:
 			return ErrInteractionNotAllowed
 		default:
 			return err
 		}
 	}
 	return nil
 }
 // Get returns the username and secret to use for a given registry server URL.
 func (h Osxkeychain) Get(serverURL string) (string, string, error) {
 	item := keychain.NewItem()
 	item.SetSecClass(keychain.SecClassInternetPassword)
 	item.SetMatchLimit(keychain.MatchLimitOne)
 	item.SetReturnAttributes(true)
 	item.SetReturnData(true)
 	if err := splitServer(serverURL, item); err != nil {
 		return "", "", err
 	}
 	res, err := keychain.QueryItem(item)
 	if err != nil {
 		switch err.Error() {
 		case errCredentialsNotFound:
 			return "", "", credentials.NewErrCredentialsNotFound()
 		case errInteractionNotAllowed:
 			return "", "", ErrInteractionNotAllowed
 		default:
 			return "", "", err
 		}
 	} else if len(res) == 0 {
 		return "", "", credentials.NewErrCredentialsNotFound()
 	}
 	return res[0].Account, string(res[0].Data), nil
 }
 // List returns the stored URLs and corresponding usernames.
 func (h Osxkeychain) List() (map[string]string, error) {
 	item := keychain.NewItem()
 	item.SetSecClass(keychain.SecClassInternetPassword)
 	item.SetMatchLimit(keychain.MatchLimitAll)
 	item.SetReturnAttributes(true)
 	item.SetLabel(credentials.CredsLabel)
 	res, err := keychain.QueryItem(item)
 	if err != nil {
 		switch err.Error() {
 		case errCredentialsNotFound:
 			return make(map[string]string), nil
 		case errInteractionNotAllowed:
 			return nil, ErrInteractionNotAllowed
 		default:
 			return nil, err
 		}
 	}
 	resp := make(map[string]string)
 	for _, r := range res {
 		proto := "http"
 		if r.Protocol == kSecProtocolTypeHTTPS {
 			proto = "https"
 		}
 		host := r.Server
 		if r.Port != 0 {
 			host = net.JoinHostPort(host, strconv.Itoa(int(r.Port)))
 		}
 		u := url.URL{
 			Scheme: proto,
 			Host:   host,
 			Path:   r.Path,
 		}
 		resp[u.String()] = r.Account
 	}
 	return resp, nil
 }
 const (
 	// Hardcoded protocol types matching their Objective-C equivalents.
 	// https://developer.apple.com/documentation/security/ksecattrprotocolhttps?language=objc
 	kSecProtocolTypeHTTPS = "htps" // This is NOT a typo.
 	// https://developer.apple.com/documentation/security/ksecattrprotocolhttp?language=objc
 	kSecProtocolTypeHTTP = "http"
 )
 func splitServer(serverURL string, item keychain.Item) error {
 	u, err := registryurl.Parse(serverURL)
 	if err != nil {
 		return err
 	}
 	item.SetProtocol(kSecProtocolTypeHTTPS)
 	if u.Scheme == "http" {
 		item.SetProtocol(kSecProtocolTypeHTTP)
 	}
 	item.SetServer(u.Hostname())
 	if p := u.Port(); p != "" {
 		port, err := strconv.Atoi(p)
 		if err != nil {
 			return err
 		}
 		item.SetPort(int32(port))
 	}
 	item.SetPath(u.Path)
 	return nil
 }
@@ -1,227 +0,0 @@
 #include "osxkeychain_darwin.h"
 #include <CoreFoundation/CoreFoundation.h>
 #include <Foundation/NSValue.h>
 #include <stdio.h>
 #include <string.h>
 char *get_error(OSStatus status) {
  char *buf = malloc(128);
  CFStringRef str = SecCopyErrorMessageString(status, NULL);
  int success = CFStringGetCString(str, buf, 128, kCFStringEncodingUTF8);
  if (!success) {
    strncpy(buf, "Unknown error", 128);
  }
  return buf;
 }
 char *keychain_add(struct Server *server, char *label, char *username, char *secret) {
  SecKeychainItemRef item;
  OSStatus status = SecKeychainAddInternetPassword(
    NULL,
    strlen(server->host), server->host,
    0, NULL,
    strlen(username), username,
    strlen(server->path), server->path,
    server->port,
    server->proto,
    kSecAuthenticationTypeDefault,
    strlen(secret), secret,
    &item
  );
  if (status) {
    return get_error(status);
  }
  SecKeychainAttribute attribute;
  SecKeychainAttributeList attrs;
  attribute.tag = kSecLabelItemAttr;
  attribute.data = label;
  attribute.length = strlen(label);
  attrs.count = 1;
  attrs.attr = &attribute;
  status = SecKeychainItemModifyContent(item, &attrs, 0, NULL);
  if (status) {
    return get_error(status);
  }
  return NULL;
 }
 char *keychain_get(struct Server *server, unsigned int *username_l, char **username, unsigned int *secret_l, char **secret) {
  char *tmp;
  SecKeychainItemRef item;
  OSStatus status = SecKeychainFindInternetPassword(
    NULL,
    strlen(server->host), server->host,
    0, NULL,
    0, NULL,
    strlen(server->path), server->path,
    server->port,
    server->proto,
    kSecAuthenticationTypeDefault,
    secret_l, (void **)&tmp,
    &item);
  if (status) {
    return get_error(status);
  }
  *secret = strdup(tmp);
  SecKeychainItemFreeContent(NULL, tmp);
  SecKeychainAttributeList list;
  SecKeychainAttribute attr;
  list.count = 1;
  list.attr = &attr;
  attr.tag = kSecAccountItemAttr;
  status = SecKeychainItemCopyContent(item, NULL, &list, NULL, NULL);
  if (status) {
    return get_error(status);
  }
  *username = strdup(attr.data);
  *username_l = attr.length;
  SecKeychainItemFreeContent(&list, NULL);
  return NULL;
 }
 char *keychain_delete(struct Server *server) {
  SecKeychainItemRef item;
  OSStatus status = SecKeychainFindInternetPassword(
    NULL,
    strlen(server->host), server->host,
    0, NULL,
    0, NULL,
    strlen(server->path), server->path,
    server->port,
    server->proto,
    kSecAuthenticationTypeDefault,
    0, NULL,
    &item);
  if (status) {
    return get_error(status);
  }
  status = SecKeychainItemDelete(item);
  if (status) {
    return get_error(status);
  }
  return NULL;
 }
 char * CFStringToCharArr(CFStringRef aString) {
  if (aString == NULL) {
    return NULL;
  }
  CFIndex length = CFStringGetLength(aString);
  CFIndex maxSize =
  CFStringGetMaximumSizeForEncoding(length, kCFStringEncodingUTF8) + 1;
  char *buffer = (char *)malloc(maxSize);
  if (CFStringGetCString(aString, buffer, maxSize,
                         kCFStringEncodingUTF8)) {
    return buffer;
  }
  return NULL;
 }
 char *keychain_list(char *credsLabel, char *** paths, char *** accts, unsigned int *list_l) {
    CFStringRef credsLabelCF = CFStringCreateWithCString(NULL, credsLabel, kCFStringEncodingUTF8);
    CFMutableDictionaryRef query = CFDictionaryCreateMutable (NULL, 1, NULL, NULL);
    CFDictionaryAddValue(query, kSecClass, kSecClassInternetPassword);
    CFDictionaryAddValue(query, kSecReturnAttributes, kCFBooleanTrue);
    CFDictionaryAddValue(query, kSecMatchLimit, kSecMatchLimitAll);
    CFDictionaryAddValue(query, kSecAttrLabel, credsLabelCF);
    //Use this query dictionary
    CFTypeRef result= NULL;
    OSStatus status = SecItemCopyMatching(
                                          query,
                                          &result);
    CFRelease(credsLabelCF);
    //Ran a search and store the results in result
    if (status) {
        return get_error(status);
    }
    CFIndex numKeys = CFArrayGetCount(result);
    *paths = (char **) malloc((int)sizeof(char *)*numKeys);
    *accts = (char **) malloc((int)sizeof(char *)*numKeys);
    //result is of type CFArray
    for(CFIndex i=0; i<numKeys; i++) {
        CFDictionaryRef currKey = CFArrayGetValueAtIndex(result,i);
        CFStringRef protocolTmp = CFDictionaryGetValue(currKey, CFSTR("ptcl"));
        if (protocolTmp != NULL) {
            CFStringRef protocolStr = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@"), protocolTmp);
            if (CFStringCompare(protocolStr, CFSTR("htps"), 0) == kCFCompareEqualTo) {
                protocolTmp = CFSTR("https://");
            }
            else {
                protocolTmp = CFSTR("http://");
            }
            CFRelease(protocolStr);
        }
        else {
            char * path = "0";
            char * acct = "0";
            (*paths)[i] = (char *) malloc(sizeof(char)*(strlen(path)));
            memcpy((*paths)[i], path, sizeof(char)*(strlen(path)));
            (*accts)[i] = (char *) malloc(sizeof(char)*(strlen(acct)));
            memcpy((*accts)[i], acct, sizeof(char)*(strlen(acct)));
            continue;
        }
        CFMutableStringRef str = CFStringCreateMutableCopy(NULL, 0, protocolTmp);
        CFStringRef serverTmp = CFDictionaryGetValue(currKey, CFSTR("srvr"));
        if (serverTmp != NULL) {
            CFStringAppend(str, serverTmp);
        }
        CFStringRef pathTmp = CFDictionaryGetValue(currKey, CFSTR("path"));
        if (pathTmp != NULL) {
            CFStringAppend(str, pathTmp);
        }
        const NSNumber * portTmp = CFDictionaryGetValue(currKey, CFSTR("port"));
        if (portTmp != NULL && portTmp.integerValue != 0) {
            CFStringRef portStr = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@"), portTmp);
            CFStringAppend(str, CFSTR(":"));
            CFStringAppend(str, portStr);
            CFRelease(portStr);
        }
        CFStringRef acctTmp = CFDictionaryGetValue(currKey, CFSTR("acct"));
        if (acctTmp == NULL) {
            acctTmp = CFSTR("account not defined");
        }
        char * path = CFStringToCharArr(str);
        char * acct = CFStringToCharArr(acctTmp);
        //We now have all we need, username and servername. Now export this to .go
        (*paths)[i] = (char *) malloc(sizeof(char)*(strlen(path)+1));
        memcpy((*paths)[i], path, sizeof(char)*(strlen(path)+1));
        (*accts)[i] = (char *) malloc(sizeof(char)*(strlen(acct)+1));
        memcpy((*accts)[i], acct, sizeof(char)*(strlen(acct)+1));
        CFRelease(str);
    }
    *list_l = (int)numKeys;
    return NULL;
 }
 void freeListData(char *** data, unsigned int length) {
     for(int i=0; i<length; i++) {
        free((*data)[i]);
     }
 }
@@ -1,169 +0,0 @@
 package osxkeychain
 /*
 #cgo CFLAGS: -x objective-c -mmacosx-version-min=10.11
 #cgo LDFLAGS: -framework Security -framework Foundation -mmacosx-version-min=10.11
 #include "osxkeychain_darwin.h"
 #include <stdlib.h>
 */
 import "C"
 import (
 	"errors"
 	"strconv"
 	"unsafe"
 	"github.com/docker/docker-credential-helpers/credentials"
 	"github.com/docker/docker-credential-helpers/registryurl"
 )
 // errCredentialsNotFound is the specific error message returned by OS X
 // when the credentials are not in the keychain.
 const errCredentialsNotFound = "The specified item could not be found in the keychain."
 // Osxkeychain handles secrets using the OS X Keychain as store.
 type Osxkeychain struct{}
 // Add adds new credentials to the keychain.
 func (h Osxkeychain) Add(creds *credentials.Credentials) error {
 	h.Delete(creds.ServerURL)
 	s, err := splitServer(creds.ServerURL)
 	if err != nil {
 		return err
 	}
 	defer freeServer(s)
 	label := C.CString(credentials.CredsLabel)
 	defer C.free(unsafe.Pointer(label))
 	username := C.CString(creds.Username)
 	defer C.free(unsafe.Pointer(username))
 	secret := C.CString(creds.Secret)
 	defer C.free(unsafe.Pointer(secret))
 	errMsg := C.keychain_add(s, label, username, secret)
 	if errMsg != nil {
 		defer C.free(unsafe.Pointer(errMsg))
 		return errors.New(C.GoString(errMsg))
 	}
 	return nil
 }
 // Delete removes credentials from the keychain.
 func (h Osxkeychain) Delete(serverURL string) error {
 	s, err := splitServer(serverURL)
 	if err != nil {
 		return err
 	}
 	defer freeServer(s)
 	errMsg := C.keychain_delete(s)
 	if errMsg != nil {
 		defer C.free(unsafe.Pointer(errMsg))
 		return errors.New(C.GoString(errMsg))
 	}
 	return nil
 }
 // Get returns the username and secret to use for a given registry server URL.
 func (h Osxkeychain) Get(serverURL string) (string, string, error) {
 	s, err := splitServer(serverURL)
 	if err != nil {
 		return "", "", err
 	}
 	defer freeServer(s)
 	var usernameLen C.uint
 	var username *C.char
 	var secretLen C.uint
 	var secret *C.char
 	defer C.free(unsafe.Pointer(username))
 	defer C.free(unsafe.Pointer(secret))
 	errMsg := C.keychain_get(s, &usernameLen, &username, &secretLen, &secret)
 	if errMsg != nil {
 		defer C.free(unsafe.Pointer(errMsg))
 		goMsg := C.GoString(errMsg)
 		if goMsg == errCredentialsNotFound {
 			return "", "", credentials.NewErrCredentialsNotFound()
 		}
 		return "", "", errors.New(goMsg)
 	}
 	user := C.GoStringN(username, C.int(usernameLen))
 	pass := C.GoStringN(secret, C.int(secretLen))
 	return user, pass, nil
 }
 // List returns the stored URLs and corresponding usernames.
 func (h Osxkeychain) List() (map[string]string, error) {
 	credsLabelC := C.CString(credentials.CredsLabel)
 	defer C.free(unsafe.Pointer(credsLabelC))
 	var pathsC **C.char
 	defer C.free(unsafe.Pointer(pathsC))
 	var acctsC **C.char
 	defer C.free(unsafe.Pointer(acctsC))
 	var listLenC C.uint
 	errMsg := C.keychain_list(credsLabelC, &pathsC, &acctsC, &listLenC)
 	defer C.freeListData(&pathsC, listLenC)
 	defer C.freeListData(&acctsC, listLenC)
 	if errMsg != nil {
 		defer C.free(unsafe.Pointer(errMsg))
 		goMsg := C.GoString(errMsg)
 		if goMsg == errCredentialsNotFound {
 			return make(map[string]string), nil
 		}
 		return nil, errors.New(goMsg)
 	}
 	var listLen int
 	listLen = int(listLenC)
 	pathTmp := (*[1 << 30]*C.char)(unsafe.Pointer(pathsC))[:listLen:listLen]
 	acctTmp := (*[1 << 30]*C.char)(unsafe.Pointer(acctsC))[:listLen:listLen]
 	//taking the array of c strings into go while ignoring all the stuff irrelevant to credentials-helper
 	resp := make(map[string]string)
 	for i := 0; i < listLen; i++ {
 		if C.GoString(pathTmp[i]) == "0" {
 			continue
 		}
 		resp[C.GoString(pathTmp[i])] = C.GoString(acctTmp[i])
 	}
 	return resp, nil
 }
 func splitServer(serverURL string) (*C.struct_Server, error) {
 	u, err := registryurl.Parse(serverURL)
 	if err != nil {
 		return nil, err
 	}
 	proto := C.kSecProtocolTypeHTTPS
 	if u.Scheme == "http" {
 		proto = C.kSecProtocolTypeHTTP
 	}
 	var port int
 	p := registryurl.GetPort(u)
 	if p != "" {
 		port, err = strconv.Atoi(p)
 		if err != nil {
 			return nil, err
 		}
 	}
 	return &C.struct_Server{
 		proto: C.SecProtocolType(proto),
 		host:  C.CString(registryurl.GetHostname(u)),
 		port:  C.uint(port),
 		path:  C.CString(u.Path),
 	}, nil
 }
 func freeServer(s *C.struct_Server) {
 	C.free(unsafe.Pointer(s.host))
 	C.free(unsafe.Pointer(s.path))
 }
@@ -1,14 +0,0 @@
 #include <Security/Security.h>
 struct Server {
  SecProtocolType proto;
  char *host;
  char *path;
  unsigned int port;
 };
 char *keychain_add(struct Server *server, char *label, char *username, char *secret);
 char *keychain_get(struct Server *server, unsigned int *username_l, char **username, unsigned int *secret_l, char **secret);
 char *keychain_delete(struct Server *server);
 char *keychain_list(char *credsLabel, char *** data, char *** accts, unsigned int *list_l);
 void freeListData(char *** data, unsigned int length);
@@ -1,213 +0,0 @@
 package osxkeychain
 import (
 	"fmt"
 	"testing"
 	"github.com/docker/docker-credential-helpers/credentials"
 )
 func TestOSXKeychainHelper(t *testing.T) {
 	creds := &credentials.Credentials{
 		ServerURL: "https://foobar.docker.io:2376/v1",
 		Username:  "foobar",
 		Secret:    "foobarbaz",
 	}
 	creds1 := &credentials.Credentials{
 		ServerURL: "https://foobar.docker.io:2376/v2",
 		Username:  "foobarbaz",
 		Secret:    "foobar",
 	}
 	helper := Osxkeychain{}
 	if err := helper.Add(creds); err != nil {
 		t.Fatal(err)
 	}
 	username, secret, err := helper.Get(creds.ServerURL)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if username != "foobar" {
 		t.Fatalf("expected %s, got %s\n", "foobar", username)
 	}
 	if secret != "foobarbaz" {
 		t.Fatalf("expected %s, got %s\n", "foobarbaz", secret)
 	}
 	auths, err := helper.List()
 	if err != nil || len(auths) == 0 {
 		t.Fatal(err)
 	}
 	helper.Add(creds1)
 	defer helper.Delete(creds1.ServerURL)
 	newauths, err := helper.List()
 	if len(newauths)-len(auths) != 1 {
 		if err == nil {
 			t.Fatalf("Error: len(newauths): %d, len(auths): %d", len(newauths), len(auths))
 		}
 		t.Fatalf("Error: len(newauths): %d, len(auths): %d\n Error= %v", len(newauths), len(auths), err)
 	}
 	if err := helper.Delete(creds.ServerURL); err != nil {
 		t.Fatal(err)
 	}
 }
 // TestOSXKeychainHelperRetrieveAliases verifies that secrets can be accessed
 // through variations on the URL
 func TestOSXKeychainHelperRetrieveAliases(t *testing.T) {
 	tests := []struct {
 		storeURL string
 		readURL  string
 	}{
 		// stored with port, retrieved without
 		{"https://foobar.docker.io:2376", "https://foobar.docker.io"},
 		// stored as https, retrieved without scheme
 		{"https://foobar.docker.io:2376", "foobar.docker.io"},
 		// stored with path, retrieved without
 		{"https://foobar.docker.io:1234/one/two", "https://foobar.docker.io:1234"},
 	}
 	helper := Osxkeychain{}
 	defer func() {
 		for _, te := range tests {
 			helper.Delete(te.storeURL)
 		}
 	}()
 	// Clean store before testing.
 	for _, te := range tests {
 		helper.Delete(te.storeURL)
 	}
 	for _, te := range tests {
 		c := &credentials.Credentials{ServerURL: te.storeURL, Username: "hello", Secret: "world"}
 		if err := helper.Add(c); err != nil {
 			t.Errorf("Error: failed to store secret for URL %q: %s", te.storeURL, err)
 			continue
 		}
 		if _, _, err := helper.Get(te.readURL); err != nil {
 			t.Errorf("Error: failed to read secret for URL %q using %q", te.storeURL, te.readURL)
 		}
 		helper.Delete(te.storeURL)
 	}
 }
 // TestOSXKeychainHelperRetrieveStrict verifies that only matching secrets are
 // returned.
 func TestOSXKeychainHelperRetrieveStrict(t *testing.T) {
 	tests := []struct {
 		storeURL string
 		readURL  string
 	}{
 		// stored as https, retrieved using http
 		{"https://foobar.docker.io:2376", "http://foobar.docker.io:2376"},
 		// stored as http, retrieved using https
 		{"http://foobar.docker.io:2376", "https://foobar.docker.io:2376"},
 		// same: stored as http, retrieved without a scheme specified (hence, using the default https://)
 		{"http://foobar.docker.io", "foobar.docker.io:5678"},
 		// non-matching ports
 		{"https://foobar.docker.io:1234", "https://foobar.docker.io:5678"},
 		// non-matching ports TODO is this desired behavior? The other way round does work
 		//{"https://foobar.docker.io", "https://foobar.docker.io:5678"},
 		// non-matching paths
 		{"https://foobar.docker.io:1234/one/two", "https://foobar.docker.io:1234/five/six"},
 	}
 	helper := Osxkeychain{}
 	defer func() {
 		for _, te := range tests {
 			helper.Delete(te.storeURL)
 		}
 	}()
 	// Clean store before testing.
 	for _, te := range tests {
 		helper.Delete(te.storeURL)
 	}
 	for _, te := range tests {
 		c := &credentials.Credentials{ServerURL: te.storeURL, Username: "hello", Secret: "world"}
 		if err := helper.Add(c); err != nil {
 			t.Errorf("Error: failed to store secret for URL %q: %s", te.storeURL, err)
 			continue
 		}
 		if _, _, err := helper.Get(te.readURL); err == nil {
 			t.Errorf("Error: managed to read secret for URL %q using %q, but should not be able to", te.storeURL, te.readURL)
 		}
 		helper.Delete(te.storeURL)
 	}
 }
 // TestOSXKeychainHelperStoreRetrieve verifies that secrets stored in the
 // the keychain can be read back using the URL that was used to store them.
 func TestOSXKeychainHelperStoreRetrieve(t *testing.T) {
 	tests := []struct {
 		url string
 	}{
 		{url: "foobar.docker.io"},
 		{url: "foobar.docker.io:2376"},
 		{url: "//foobar.docker.io:2376"},
 		{url: "https://foobar.docker.io:2376"},
 		{url: "http://foobar.docker.io:2376"},
 		{url: "https://foobar.docker.io:2376/some/path"},
 		{url: "https://foobar.docker.io:2376/some/other/path"},
 		{url: "https://foobar.docker.io:2376/some/other/path?foo=bar"},
 	}
 	helper := Osxkeychain{}
 	defer func() {
 		for _, te := range tests {
 			helper.Delete(te.url)
 		}
 	}()
 	// Clean store before testing.
 	for _, te := range tests {
 		helper.Delete(te.url)
 	}
 	// Note that we don't delete between individual tests here, to verify that
 	// subsequent stores/overwrites don't affect storing / retrieving secrets.
 	for i, te := range tests {
 		c := &credentials.Credentials{
 			ServerURL: te.url,
 			Username:  fmt.Sprintf("user-%d", i),
 			Secret:    fmt.Sprintf("secret-%d", i),
 		}
 		if err := helper.Add(c); err != nil {
 			t.Errorf("Error: failed to store secret for URL: %s: %s", te.url, err)
 			continue
 		}
 		user, secret, err := helper.Get(te.url)
 		if err != nil {
 			t.Errorf("Error: failed to read secret for URL %q: %s", te.url, err)
 			continue
 		}
 		if user != c.Username {
 			t.Errorf("Error: expected username %s, got username %s for URL: %s", c.Username, user, te.url)
 		}
 		if secret != c.Secret {
 			t.Errorf("Error: expected secret %s, got secret %s for URL: %s", c.Secret, secret, te.url)
 		}
 	}
 }
 func TestMissingCredentials(t *testing.T) {
 	helper := Osxkeychain{}
 	_, _, err := helper.Get("https://adsfasdf.wrewerwer.com/asdfsdddd")
 	if !credentials.IsErrCredentialsNotFound(err) {
 		t.Fatalf("expected ErrCredentialsNotFound, got %v", err)
 	}
 }
@@ -0,0 +1,323 @@
 //go:build darwin && cgo
 package osxkeychain
 import (
 	"fmt"
 	"testing"
 	"github.com/docker/docker-credential-helpers/credentials"
 )
 func TestOSXKeychainHelper(t *testing.T) {
 	creds := &credentials.Credentials{
 		ServerURL: "https://foobar.example.com:2376/v1",
 		Username:  "foobar",
 		Secret:    "foobarbaz",
 	}
 	helper := Osxkeychain{}
 	if err := helper.Add(creds); err != nil {
 		t.Fatal(err)
 	}
 	username, secret, err := helper.Get(creds.ServerURL)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if username != "foobar" {
 		t.Fatalf("expected %s, got %s\n", "foobar", username)
 	}
 	if secret != "foobarbaz" {
 		t.Fatalf("expected %s, got %s\n", "foobarbaz", secret)
 	}
 	auths, err := helper.List()
 	if err != nil || len(auths) == 0 {
 		t.Fatal(err)
 	}
 	if _, ok := auths[creds.ServerURL]; !ok {
 		t.Fatalf("server %s not found in list, got: %+v", creds.ServerURL, auths)
 	}
 	// Insert another token and check if it is in the list
 	creds1 := &credentials.Credentials{
 		ServerURL: "https://foobar.example.com:2376/v2",
 		Username:  "foobarbaz",
 		Secret:    "foobar",
 	}
 	helper.Add(creds1)
 	defer helper.Delete(creds1.ServerURL)
 	auths, err = helper.List()
 	if err != nil {
 		t.Fatalf("operation List failed: %+v", err)
 	}
 	if _, ok := auths[creds.ServerURL]; !ok {
 		t.Fatalf("server %s not found in list, got: %+v", creds.ServerURL, auths)
 	}
 	if _, ok := auths[creds1.ServerURL]; !ok {
 		t.Fatalf("server %s not found in list, got: %+v", creds1.ServerURL, auths)
 	}
 	// Delete the 1st token inserted
 	if err := helper.Delete(creds.ServerURL); err != nil {
 		t.Fatal(err)
 	}
 	auths, err = helper.List()
 	if err != nil {
 		t.Fatalf("operation List failed: %+v", err)
 	}
 	// First token should have been deleted
 	if _, ok := auths[creds.ServerURL]; ok {
 		t.Fatalf("server %s was not deleted, got: %+v", creds.ServerURL, auths)
 	}
 	// Second token should still be there
 	if _, ok := auths[creds1.ServerURL]; !ok {
 		t.Fatalf("server %s not found in list, got: %+v", creds1.ServerURL, auths)
 	}
 }
 // TestOSXKeychainHelperRetrieveAliases verifies that secrets can be accessed
 // through variations on the URL
 func TestOSXKeychainHelperRetrieveAliases(t *testing.T) {
 	tests := []struct {
 		doc      string
 		storeURL string
 		readURL  string
 	}{
 		{
 			doc:      "stored with port, retrieved without",
 			storeURL: "https://foobar.example.com:2376",
 			readURL:  "https://foobar.example.com",
 		},
 		{
 			doc:      "stored as https, retrieved without scheme",
 			storeURL: "https://foobar.example.com:2376",
 			readURL:  "foobar.example.com",
 		},
 		{
 			doc:      "stored with path, retrieved without",
 			storeURL: "https://foobar.example.com:1234/one/two",
 			readURL:  "https://foobar.example.com:1234",
 		},
 	}
 	helper := Osxkeychain{}
 	t.Cleanup(func() {
 		for _, tc := range tests {
 			if err := helper.Delete(tc.storeURL); err != nil && !credentials.IsErrCredentialsNotFound(err) {
 				t.Errorf("cleanup: failed to delete '%s': %v", tc.storeURL, err)
 			}
 		}
 	})
 	// Clean store before testing.
 	for _, tc := range tests {
 		if err := helper.Delete(tc.storeURL); err != nil && !credentials.IsErrCredentialsNotFound(err) {
 			t.Errorf("prepare: failed to delete '%s': %v", tc.storeURL, err)
 		}
 	}
 	for _, tc := range tests {
 		tc := tc
 		t.Run(tc.doc, func(t *testing.T) {
 			c := &credentials.Credentials{ServerURL: tc.storeURL, Username: "hello", Secret: "world"}
 			if err := helper.Add(c); err != nil {
 				t.Fatalf("Error: failed to store secret for URL %q: %s", tc.storeURL, err)
 			}
 			if _, _, err := helper.Get(tc.readURL); err != nil {
 				t.Errorf("Error: failed to read secret for URL %q using %q: %s", tc.storeURL, tc.readURL, err)
 			}
 			if err := helper.Delete(tc.storeURL); err != nil {
 				t.Error(err)
 			}
 		})
 	}
 }
 func TestOSXKeychainHelperStoreWithUncleanPath(t *testing.T) {
 	helper := Osxkeychain{}
 	creds := &credentials.Credentials{
 		ServerURL: "https://::1:8080//////location/../../hello",
 		Username:  "testuser",
 		Secret:    "testsecret",
 	}
 	// Clean store before and after the test.
 	defer helper.Delete(creds.ServerURL)
 	if err := helper.Delete(creds.ServerURL); err != nil && !credentials.IsErrCredentialsNotFound(err) {
 		t.Errorf("prepare: failed to delete '%s': %v", creds.ServerURL, err)
 	}
 	// Store the credentials
 	if err := helper.Add(creds); err != nil {
 		t.Fatalf("Error: failed to store credentials with unclean path %q: %s", creds.ServerURL, err)
 	}
 	// Retrieve and verify credentials
 	username, secret, err := helper.Get(creds.ServerURL)
 	if err != nil {
 		t.Fatalf("Error: failed to retrieve credentials with unclean path %q: %s", creds.ServerURL, err)
 	}
 	if username != creds.Username {
 		t.Errorf("Error: expected username %s, got %s", creds.Username, username)
 	}
 	if secret != creds.Secret {
 		t.Errorf("Error: expected secret %s, got %s", creds.Secret, secret)
 	}
 }
 // TestOSXKeychainHelperRetrieveStrict verifies that only matching secrets are
 // returned.
 func TestOSXKeychainHelperRetrieveStrict(t *testing.T) {
 	tests := []struct {
 		doc      string
 		storeURL string
 		readURL  string
 	}{
 		{
 			doc:      "stored as https, retrieved using http",
 			storeURL: "https://foobar.example.com:2376",
 			readURL:  "http://foobar.example.com:2376",
 		},
 		{
 			doc:      "stored as http, retrieved using https",
 			storeURL: "http://foobar.example.com:2376",
 			readURL:  "https://foobar.example.com:2376",
 		},
 		{
 			// stored as http, retrieved without a scheme specified (hence, using the default https://)
 			doc:      "stored as http, retrieved without scheme",
 			storeURL: "http://foobar.example.com",
 			readURL:  "foobar.example.com:5678",
 		},
 		{
 			doc:      "non-matching ports",
 			storeURL: "https://foobar.example.com:1234",
 			readURL:  "https://foobar.example.com:5678",
 		},
 		// TODO: is this desired behavior? The other way round does work
 		// {
 		// 	doc:      "non-matching ports (stored without port)",
 		// 	storeURL: "https://foobar.example.com",
 		// 	readURL:  "https://foobar.example.com:5678",
 		// },
 		{
 			doc:      "non-matching paths",
 			storeURL: "https://foobar.example.com:1234/one/two",
 			readURL:  "https://foobar.example.com:1234/five/six",
 		},
 	}
 	helper := Osxkeychain{}
 	t.Cleanup(func() {
 		for _, tc := range tests {
 			if err := helper.Delete(tc.storeURL); err != nil && !credentials.IsErrCredentialsNotFound(err) {
 				t.Errorf("cleanup: failed to delete '%s': %v", tc.storeURL, err)
 			}
 		}
 	})
 	// Clean store before testing.
 	for _, tc := range tests {
 		if err := helper.Delete(tc.storeURL); err != nil && !credentials.IsErrCredentialsNotFound(err) {
 			t.Errorf("prepare: failed to delete '%s': %v", tc.storeURL, err)
 		}
 	}
 	for _, tc := range tests {
 		tc := tc
 		t.Run(tc.doc, func(t *testing.T) {
 			c := &credentials.Credentials{ServerURL: tc.storeURL, Username: "hello", Secret: "world"}
 			if err := helper.Add(c); err != nil {
 				t.Fatalf("Error: failed to store secret for URL %q: %s", tc.storeURL, err)
 			}
 			if _, _, err := helper.Get(tc.readURL); err == nil {
 				t.Errorf("Error: managed to read secret for URL %q using %q, but should not be able to", tc.storeURL, tc.readURL)
 			}
 			if err := helper.Delete(tc.storeURL); err != nil {
 				t.Error(err)
 			}
 		})
 	}
 }
 // TestOSXKeychainHelperStoreRetrieve verifies that secrets stored in the
 // the keychain can be read back using the URL that was used to store them.
 func TestOSXKeychainHelperStoreRetrieve(t *testing.T) {
 	tests := []struct {
 		url string
 	}{
 		{url: "foobar.example.com"},
 		{url: "foobar.example.com:2376"},
 		{url: "//foobar.example.com:2376"},
 		{url: "https://foobar.example.com:2376"},
 		{url: "http://foobar.example.com:2376"},
 		{url: "https://foobar.example.com:2376/some/path"},
 		{url: "https://foobar.example.com:2376/some/other/path"},
 		{url: "https://foobar.example.com:2376/some/other/path?foo=bar"},
 	}
 	helper := Osxkeychain{}
 	t.Cleanup(func() {
 		for _, tc := range tests {
 			if err := helper.Delete(tc.url); err != nil && !credentials.IsErrCredentialsNotFound(err) {
 				t.Errorf("cleanup: failed to delete '%s': %v", tc.url, err)
 			}
 		}
 	})
 	// Clean store before testing.
 	for _, tc := range tests {
 		if err := helper.Delete(tc.url); err != nil && !credentials.IsErrCredentialsNotFound(err) {
 			t.Errorf("prepare: failed to delete '%s': %v", tc.url, err)
 		}
 	}
 	// Note that we don't delete between individual tests here, to verify that
 	// subsequent stores/overwrites don't affect storing / retrieving secrets.
 	for i, tc := range tests {
 		tc := tc
 		t.Run(tc.url, func(t *testing.T) {
 			c := &credentials.Credentials{
 				ServerURL: tc.url,
 				Username:  fmt.Sprintf("user-%d", i),
 				Secret:    fmt.Sprintf("secret-%d", i),
 			}
 			if err := helper.Add(c); err != nil {
 				t.Fatalf("Error: failed to store secret for URL: %s: %s", tc.url, err)
 			}
 			user, secret, err := helper.Get(tc.url)
 			if err != nil {
 				t.Fatalf("Error: failed to read secret for URL %q: %s", tc.url, err)
 			}
 			if user != c.Username {
 				t.Errorf("Error: expected username %s, got username %s for URL: %s", c.Username, user, tc.url)
 			}
 			if secret != c.Secret {
 				t.Errorf("Error: expected secret %s, got secret %s for URL: %s", c.Secret, secret, tc.url)
 			}
 		})
 	}
 }
 func TestMissingCredentials(t *testing.T) {
 	const nonExistingCred = "https://adsfasdf.invalid/asdfsdddd"
 	helper := Osxkeychain{}
 	_, _, err := helper.Get(nonExistingCred)
 	if !credentials.IsErrCredentialsNotFound(err) {
 		t.Errorf("expected ErrCredentialsNotFound, got %v", err)
 	}
 	err = helper.Delete(nonExistingCred)
 	if !credentials.IsErrCredentialsNotFound(err) {
 		t.Errorf("expected ErrCredentialsNotFound, got %v", err)
 	}
 }
@@ -1,7 +1,7 @@
-// A `pass` based credential helper. Passwords are stored as arguments to pass
+// Package pass implements a `pass` based credential helper. Passwords are stored
-// of the form: "$PASS_FOLDER/base64-url(serverURL)/username". We base64-url
+// as arguments to pass of the form: "$PASS_FOLDER/base64-url(serverURL)/username".
-// encode the serverURL, because under the hood pass uses files and folders, so
+// We base64-url encode the serverURL, because under the hood pass uses files and
-// /s will get translated into additional folders.
+// folders, so /s will get translated into additional folders.
 package pass
 import (
@@ -9,29 +9,32 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
-	"io/ioutil"
+	"io/fs"
 	"os"
 	"os/exec"
 	"path"
 	"path/filepath"
 	"strings"
 	"sync"
 	"github.com/docker/docker-credential-helpers/credentials"
 )
-const PASS_FOLDER = "docker-credential-helpers"
+// PASS_FOLDER contains the directory where credentials are stored
 const PASS_FOLDER = "docker-credential-helpers" //nolint:revive
-// Pass handles secrets using Linux secret-service as a store.
+// Pass handles secrets using pass as a store.
 type Pass struct{}
 // Ideally these would be stored as members of Pass, but since all of Pass's
 // methods have value receivers, not pointer receivers, and changing that is
 // backwards incompatible, we assume that all Pass instances share the same configuration
-
+var (
 	// initializationMutex is held while initializing so that only one 'pass'
 	// round-tripping is done to check pass is functioning.
-var initializationMutex sync.Mutex
+	initializationMutex sync.Mutex
-var passInitialized bool
+	passInitialized     bool
 )
 // CheckInitialized checks whether the password helper can be used. It
 // internally caches and so may be safely called multiple times with no impact
@@ -79,34 +82,33 @@ func (p Pass) runPassHelper(stdinContent string, args ...string) (string, error)
 }
 // Add adds new credentials to the keychain.
-func (h Pass) Add(creds *credentials.Credentials) error {
+func (p Pass) Add(creds *credentials.Credentials) error {
 	if creds == nil {
 		return errors.New("missing credentials")
 	}
-	encoded := base64.URLEncoding.EncodeToString([]byte(creds.ServerURL))
+	encoded := encodeServerURL(creds.ServerURL)
-
+	_, err := p.runPass(creds.Secret, "insert", "-f", "-m", path.Join(PASS_FOLDER, encoded, creds.Username))
 	_, err := h.runPass(creds.Secret, "insert", "-f", "-m", path.Join(PASS_FOLDER, encoded, creds.Username))
 	return err
 }
 // Delete removes credentials from the store.
-func (h Pass) Delete(serverURL string) error {
+func (p Pass) Delete(serverURL string) error {
 	if serverURL == "" {
 		return errors.New("missing server url")
 	}
-	encoded := base64.URLEncoding.EncodeToString([]byte(serverURL))
+	encoded := encodeServerURL(serverURL)
-	_, err := h.runPass("", "rm", "-rf", path.Join(PASS_FOLDER, encoded))
+	_, err := p.runPass("", "rm", "-rf", path.Join(PASS_FOLDER, encoded))
 	return err
 }
 func getPassDir() string {
-	passDir := "$HOME/.password-store"
+	if passDir := os.Getenv("PASSWORD_STORE_DIR"); passDir != "" {
-	if envDir := os.Getenv("PASSWORD_STORE_DIR"); envDir != "" {
+		return passDir
 		passDir = envDir
 	}
-	return os.ExpandEnv(passDir)
+	home, _ := os.UserHomeDir()
 	return filepath.Join(home, ".password-store")
 }
 // listPassDir lists all the contents of a directory in the password store.
@@ -115,50 +117,47 @@ func getPassDir() string {
 func listPassDir(args ...string) ([]os.FileInfo, error) {
 	passDir := getPassDir()
 	p := path.Join(append([]string{passDir, PASS_FOLDER}, args...)...)
-	contents, err := ioutil.ReadDir(p)
+	entries, err := os.ReadDir(p)
 	if err != nil {
 		if os.IsNotExist(err) {
 			return []os.FileInfo{}, nil
 		}
 		return nil, err
 	}
-
+	infos := make([]fs.FileInfo, 0, len(entries))
-	return contents, nil
+	for _, entry := range entries {
 		info, err := entry.Info()
 		if err != nil {
 			return nil, err
 		}
 		infos = append(infos, info)
 	}
 	return infos, nil
 }
 // Get returns the username and secret to use for a given registry server URL.
-func (h Pass) Get(serverURL string) (string, string, error) {
+func (p Pass) Get(serverURL string) (string, string, error) {
 	if serverURL == "" {
 		return "", "", errors.New("missing server url")
 	}
-	encoded := base64.URLEncoding.EncodeToString([]byte(serverURL))
+	encoded := encodeServerURL(serverURL)
 	if _, err := os.Stat(path.Join(getPassDir(), PASS_FOLDER, encoded)); err != nil {
 		if os.IsNotExist(err) {
 			return "", "", nil
 		}
 		return "", "", err
 	}
 	usernames, err := listPassDir(encoded)
 	if err != nil {
 		return "", "", err
 	}
 	if len(usernames) < 1 {
-		return "", "", fmt.Errorf("no usernames for %s", serverURL)
+		return "", "", credentials.NewErrCredentialsNotFound()
 	}
 	actual := strings.TrimSuffix(usernames[0].Name(), ".gpg")
-	secret, err := h.runPass("", "show", path.Join(PASS_FOLDER, encoded, actual))
+	secret, err := p.runPass("", "show", path.Join(PASS_FOLDER, encoded, actual))
 	return actual, secret, err
 }
 // List returns the stored URLs and corresponding usernames for a given credentials label
-func (h Pass) List() (map[string]string, error) {
+func (p Pass) List() (map[string]string, error) {
 	servers, err := listPassDir()
 	if err != nil {
 		return nil, err
@@ -171,7 +170,7 @@ func (h Pass) List() (map[string]string, error) {
 			continue
 		}
-		serverURL, err := base64.URLEncoding.DecodeString(server.Name())
+		serverURL, err := decodeServerURL(server.Name())
 		if err != nil {
 			return nil, err
 		}
@@ -182,11 +181,27 @@ func (h Pass) List() (map[string]string, error) {
 		}
 		if len(usernames) < 1 {
-			return nil, fmt.Errorf("no usernames for %s", serverURL)
+			continue
 		}
-		resp[string(serverURL)] = strings.TrimSuffix(usernames[0].Name(), ".gpg")
+		resp[serverURL] = strings.TrimSuffix(usernames[0].Name(), ".gpg")
 	}
 	return resp, nil
 }
 // encodeServerURL returns the serverURL in base64-URL encoding to use
 // as directory-name in pass storage.
 func encodeServerURL(serverURL string) string {
 	return base64.URLEncoding.EncodeToString([]byte(serverURL))
 }
 // decodeServerURL decodes base64-URL encoded serverURL. ServerURLs are
 // used in encoded format for directory-names in pass storage.
 func decodeServerURL(encodedServerURL string) (string, error) {
 	serverURL, err := base64.URLEncoding.DecodeString(encodedServerURL)
 	if err != nil {
 		return "", err
 	}
 	return string(serverURL), nil
 }
@@ -1,75 +0,0 @@
 package pass
 import (
 	"strings"
 	"testing"
 	"github.com/docker/docker-credential-helpers/credentials"
 )
 func TestPassHelper(t *testing.T) {
 	helper := Pass{}
 	creds := &credentials.Credentials{
 		ServerURL: "https://foobar.docker.io:2376/v1",
 		Username:  "nothing",
 		Secret:    "isthebestmeshuggahalbum",
 	}
 	helper.Add(creds)
 	creds.ServerURL = "https://foobar.docker.io:9999/v2"
 	helper.Add(creds)
 	credsList, err := helper.List()
 	if err != nil {
 		t.Fatal(err)
 	}
 	for server, username := range credsList {
 		if !(strings.Contains(server, "2376") ||
 			strings.Contains(server, "9999")) {
 			t.Fatalf("invalid url: %s", creds.ServerURL)
 		}
 		if username != "nothing" {
 			t.Fatalf("invalid username: %v", username)
 		}
 		u, s, err := helper.Get(server)
 		if err != nil {
 			t.Fatal(err)
 		}
 		if u != username {
 			t.Fatalf("invalid username %s", u)
 		}
 		if s != "isthebestmeshuggahalbum" {
 			t.Fatalf("invalid secret: %s", s)
 		}
 		err = helper.Delete(server)
 		if err != nil {
 			t.Fatal(err)
 		}
 		username, _, err = helper.Get(server)
 		if err != nil {
 			t.Fatal(err)
 		}
 		if username != "" {
 			t.Fatalf("%s shouldn't exist any more", username)
 		}
 	}
 	credsList, err = helper.List()
 	if err != nil {
 		t.Fatal(err)
 	}
 	if len(credsList) != 0 {
 		t.Fatal("didn't delete all creds?")
 	}
 }
@@ -0,0 +1,195 @@
 //go:build !windows
 package pass
 import (
 	"os"
 	"path"
 	"strings"
 	"testing"
 	"github.com/docker/docker-credential-helpers/credentials"
 )
 func TestPassHelper(t *testing.T) {
 	creds := &credentials.Credentials{
 		ServerURL: "https://foobar.example.com:2376/v1",
 		Username:  "nothing",
 		Secret:    "isthebestmeshuggahalbum",
 	}
 	helper := Pass{}
 	if err := helper.checkInitialized(); err != nil {
 		t.Error(err)
 	}
 	if err := helper.Add(creds); err != nil {
 		t.Error(err)
 	}
 	u, s, err := helper.Get(creds.ServerURL)
 	if err != nil {
 		t.Error(err)
 	}
 	if u != creds.Username {
 		t.Errorf("invalid username %s", u)
 	}
 	if s != creds.Secret {
 		t.Errorf("invalid secret: %s", s)
 	}
 	if err := helper.Delete(creds.ServerURL); err != nil {
 		t.Error(err)
 	}
 	if _, _, err := helper.Get(creds.ServerURL); !credentials.IsErrCredentialsNotFound(err) {
 		t.Errorf("expected credentials not found, actual: %v", err)
 	}
 }
 func TestPassHelperCheckInit(t *testing.T) {
 	helper := Pass{}
 	if v := helper.CheckInitialized(); !v {
 		t.Errorf("expected true, actual: %v", v)
 	}
 }
 func TestPassHelperList(t *testing.T) {
 	creds := []*credentials.Credentials{
 		{
 			ServerURL: "https://foobar.example.com:2376/v1",
 			Username:  "foo",
 			Secret:    "isthebestmeshuggahalbum",
 		},
 		{
 			ServerURL: "https://foobar.example.com:2375/v1",
 			Username:  "bar",
 			Secret:    "isthebestmeshuggahalbum",
 		},
 	}
 	helper := Pass{}
 	if err := helper.checkInitialized(); err != nil {
 		t.Error(err)
 	}
 	for _, cred := range creds {
 		if err := helper.Add(cred); err != nil {
 			t.Error(err)
 		}
 	}
 	credsList, err := helper.List()
 	if err != nil {
 		t.Error(err)
 	}
 	for server, username := range credsList {
 		if !strings.HasSuffix(server, "2376/v1") && !strings.HasSuffix(server, "2375/v1") {
 			t.Errorf("invalid url: %s", server)
 		}
 		if username != "foo" && username != "bar" {
 			t.Errorf("invalid username: %v", username)
 		}
 		u, s, err := helper.Get(server)
 		if err != nil {
 			t.Error(err)
 		}
 		if u != username {
 			t.Errorf("invalid username %s", u)
 		}
 		if s != "isthebestmeshuggahalbum" {
 			t.Errorf("invalid secret: %s", s)
 		}
 		if err := helper.Delete(server); err != nil {
 			t.Error(err)
 		}
 		if _, _, err := helper.Get(server); !credentials.IsErrCredentialsNotFound(err) {
 			t.Errorf("expected credentials not found, actual: %v", err)
 		}
 	}
 	credsList, err = helper.List()
 	if err != nil {
 		t.Error(err)
 	}
 	if len(credsList) != 0 {
 		t.Error("didn't delete all creds?")
 	}
 }
 // TestPassHelperWithEmptyServer verifies that empty directories (servers
 // without credentials) are ignored, but still returns credentials for other
 // servers.
 func TestPassHelperWithEmptyServer(t *testing.T) {
 	helper := Pass{}
 	if err := helper.checkInitialized(); err != nil {
 		t.Error(err)
 	}
 	creds := []*credentials.Credentials{
 		{
 			ServerURL: "https://myreqistry.example.com:2375/v1",
 			Username:  "foo",
 			Secret:    "isthebestmeshuggahalbum",
 		},
 		{
 			ServerURL: "https://index.example.com/v1//access-token",
 		},
 	}
 	t.Cleanup(func() {
 		for _, cred := range creds {
 			_ = helper.Delete(cred.ServerURL)
 		}
 	})
 	for _, cred := range creds {
 		if cred.Username != "" {
 			if err := helper.Add(cred); err != nil {
 				t.Error(err)
 			}
 		} else {
 			// No credentials; create an empty directory for this server.
 			serverURL := encodeServerURL(cred.ServerURL)
 			p := path.Join(getPassDir(), PASS_FOLDER, serverURL)
 			if err := os.Mkdir(p, 0o755); err != nil {
 				t.Error(err)
 			}
 		}
 	}
 	credsList, err := helper.List()
 	if err != nil {
 		t.Error(err)
 	}
 	if len(credsList) == 0 {
 		t.Error("expected credentials to be returned, but got none")
 	}
 	for _, cred := range creds {
 		if cred.Username != "" {
 			userName, secret, err := helper.Get(cred.ServerURL)
 			if err != nil {
 				t.Error(err)
 			}
 			if userName != cred.Username {
 				t.Errorf("expected username %q, actual: %q", cred.Username, userName)
 			}
 			if secret != cred.Secret {
 				t.Errorf("expected secret %q, actual: %q", cred.Secret, secret)
 			}
 		} else {
 			_, _, err := helper.Get(cred.ServerURL)
 			if !credentials.IsErrCredentialsNotFound(err) {
 				t.Errorf("expected credentials not found, actual: %v", err)
 			}
 		}
 	}
 }
 func TestMissingCred(t *testing.T) {
 	helper := Pass{}
 	if _, _, err := helper.Get("garbage"); !credentials.IsErrCredentialsNotFound(err) {
 		t.Errorf("expected credentials not found, actual: %v", err)
 	}
 }
@@ -28,10 +28,24 @@ func Parse(registryURL string) (*url.URL, error) {
 		return nil, errors.New("unsupported scheme: " + u.Scheme)
 	}
-	if GetHostname(u) == "" {
+	if u.Hostname() == "" {
 		return nil, errors.New("no hostname in URL")
 	}
 	u.RawQuery = ""
 	return u, nil
 }
 // GetHostname returns the hostname of the URL
 //
 // Deprecated: use url.Hostname()
 func GetHostname(u *url.URL) string {
 	return u.Hostname()
 }
 // GetPort returns the port number of the URL
 //
 // Deprecated: use url.Port()
 func GetPort(u *url.URL) string {
 	return u.Port()
 }
@@ -13,34 +13,61 @@ func TestHelperParseURL(t *testing.T) {
 		expectedURL string
 		err         error
 	}{
-		{url: "foobar.docker.io", expectedURL: "//foobar.docker.io"},
+		{
-		{url: "foobar.docker.io:2376", expectedURL: "//foobar.docker.io:2376"},
+			url:         "foobar.example.com",
-		{url: "//foobar.docker.io:2376", expectedURL: "//foobar.docker.io:2376"},
+			expectedURL: "//foobar.example.com",
-		{url: "http://foobar.docker.io:2376", expectedURL: "http://foobar.docker.io:2376"},
+		},
-		{url: "https://foobar.docker.io:2376", expectedURL: "https://foobar.docker.io:2376"},
+		{
-		{url: "https://foobar.docker.io:2376/some/path", expectedURL: "https://foobar.docker.io:2376/some/path"},
+			url:         "foobar.example.com:2376",
-		{url: "https://foobar.docker.io:2376/some/other/path?foo=bar", expectedURL: "https://foobar.docker.io:2376/some/other/path"},
+			expectedURL: "//foobar.example.com:2376",
-		{url: "/foobar.docker.io", err: errors.New("no hostname in URL")},
+		},
-		{url: "ftp://foobar.docker.io:2376", err: errors.New("unsupported scheme: ftp")},
+		{
 			url:         "//foobar.example.com:2376",
 			expectedURL: "//foobar.example.com:2376",
 		},
 		{
 			url:         "http://foobar.example.com:2376",
 			expectedURL: "http://foobar.example.com:2376",
 		},
 		{
 			url:         "https://foobar.example.com:2376",
 			expectedURL: "https://foobar.example.com:2376",
 		},
 		{
 			url:         "https://foobar.example.com:2376/some/path",
 			expectedURL: "https://foobar.example.com:2376/some/path",
 		},
 		{
 			url:         "https://foobar.example.com:2376/some/other/path?foo=bar",
 			expectedURL: "https://foobar.example.com:2376/some/other/path",
 		},
 		{
 			url: "/foobar.example.com",
 			err: errors.New("no hostname in URL"),
 		},
 		{
 			url: "ftp://foobar.example.com:2376",
 			err: errors.New("unsupported scheme: ftp"),
 		},
 	}
-	for _, te := range tests {
+	for _, tc := range tests {
-		u, err := Parse(te.url)
+		tc := tc
 		t.Run(tc.url, func(t *testing.T) {
 			u, err := Parse(tc.url)
-		if te.err == nil && err != nil {
+			if tc.err == nil && err != nil {
-			t.Errorf("Error: failed to parse URL %q: %s", te.url, err)
+				t.Fatalf("Error: failed to parse URL %q: %s", tc.url, err)
 			continue
 			}
-		if te.err != nil && err == nil {
+			if tc.err != nil && err == nil {
-			t.Errorf("Error: expected error %q, got none when parsing URL %q", te.err, te.url)
+				t.Fatalf("Error: expected error %q, got none when parsing URL %q", tc.err, tc.url)
 			continue
 			}
-		if te.err != nil && err.Error() != te.err.Error() {
+			if tc.err != nil && err.Error() != tc.err.Error() {
-			t.Errorf("Error: expected error %q, got %q when parsing URL %q", te.err, err, te.url)
+				t.Fatalf("Error: expected error %q, got %q when parsing URL %q", tc.err, err, tc.url)
 			continue
 		}
 		if u != nil && u.String() != te.expectedURL {
 			t.Errorf("Error: expected URL: %q, but got %q for URL: %q", te.expectedURL, u.String(), te.url)
 			}
 			if u != nil && u.String() != tc.expectedURL {
 				t.Errorf("Error: expected URL: %q, but got %q for URL: %q", tc.expectedURL, u.String(), tc.url)
 			}
 		})
 	}
 }
@@ -1,15 +0,0 @@
 //+build go1.8
 package registryurl
 import (
 	url "net/url"
 )
 func GetHostname(u *url.URL) string {
 	return u.Hostname()
 }
 func GetPort(u *url.URL) string {
 	return u.Port()
 }
@@ -1,41 +0,0 @@
 //+build !go1.8
 package registryurl
 import (
 	url "net/url"
 	"strings"
 )
 func GetHostname(u *url.URL) string {
 	return stripPort(u.Host)
 }
 func GetPort(u *url.URL) string {
 	return portOnly(u.Host)
 }
 func stripPort(hostport string) string {
 	colon := strings.IndexByte(hostport, ':')
 	if colon == -1 {
 		return hostport
 	}
 	if i := strings.IndexByte(hostport, ']'); i != -1 {
 		return strings.TrimPrefix(hostport[:i], "[")
 	}
 	return hostport[:colon]
 }
 func portOnly(hostport string) string {
 	colon := strings.IndexByte(hostport, ':')
 	if colon == -1 {
 		return ""
 	}
 	if i := strings.Index(hostport, "]:"); i != -1 {
 		return hostport[i+len("]:"):]
 	}
 	if strings.Contains(hostport, "]") {
 		return ""
 	}
 	return hostport[colon+len(":"):]
 }
@@ -1,3 +1,5 @@
 //go:build linux && cgo
 package main
 import (
@@ -1,6 +1,6 @@
 #include <string.h>
 #include <stdlib.h>
-#include "secretservice_linux.h"
+#include "secretservice.h"
 const SecretSchema *docker_get_schema(void)
 {
@@ -17,11 +17,11 @@ const SecretSchema *docker_get_schema(void)
 	return &docker_schema;
 }
-GError *add(char *label, char *server, char *username, char *secret) {
+GError *add(char *label, char *server, char *username, char *secret, char *displaylabel) {
 	GError *err = NULL;
 	secret_password_store_sync (DOCKER_SCHEMA, SECRET_COLLECTION_DEFAULT,
-			server, secret, NULL, &err,
+			displaylabel, secret, NULL, &err,
 			"label", label,
 			"server", server,
 			"username", username,
@@ -83,6 +83,9 @@ GError *get(char *server, char **username, char **secret) {
 				}
 				g_free(value);
 				secretValue = secret_item_get_secret(l->data);
 				if (secretValue == NULL) {
 					continue;
 				}
 				if (secret != NULL) {
 					*secret = strdup(secret_value_get(secretValue, &length));
 					secret_value_unref(secretValue);
@@ -1,12 +1,15 @@
 //go:build linux && cgo
 package secretservice
 /*
 #cgo pkg-config: libsecret-1
-#include "secretservice_linux.h"
+#include "secretservice.h"
 #include <stdlib.h>
 */
 import "C"
 import (
 	"errors"
 	"unsafe"
@@ -30,8 +33,10 @@ func (h Secretservice) Add(creds *credentials.Credentials) error {
 	defer C.free(unsafe.Pointer(username))
 	secret := C.CString(creds.Secret)
 	defer C.free(unsafe.Pointer(secret))
 	displayLabel := C.CString("Registry credentials for " + creds.ServerURL)
 	defer C.free(unsafe.Pointer(displayLabel))
-	if err := C.add(credsLabel, server, username, secret); err != nil {
+	if err := C.add(credsLabel, server, username, secret, displayLabel); err != nil {
 		defer C.g_error_free(err)
 		errMsg := (*C.char)(unsafe.Pointer(err.message))
 		return errors.New(C.GoString(errMsg))
@@ -96,7 +101,8 @@ func (h Secretservice) List() (map[string]string, error) {
 	defer C.freeListData(&acctsC, listLenC)
 	if err != nil {
 		defer C.g_error_free(err)
-		return nil, errors.New("Error from list function in secretservice_linux.c likely due to error in secretservice library")
+		errMsg := (*C.char)(unsafe.Pointer(err.message))
 		return nil, errors.New(C.GoString(errMsg))
 	}
 	resp := make(map[string]string)
@@ -6,7 +6,7 @@ const SecretSchema *docker_get_schema(void) G_GNUC_CONST;
 #define DOCKER_SCHEMA docker_get_schema()
-GError *add(char *label, char *server, char *username, char *secret);
+GError *add(char *label, char *server, char *username, char *secret, char *displaylabel);
 GError *delete(char *server);
 GError *get(char *server, char **username, char **secret);
 GError *list(char *label, char *** paths, char *** accts, unsigned int *list_l);
@@ -1,3 +1,5 @@
 //go:build linux && cgo
 package secretservice
 import (
@@ -11,7 +13,7 @@ func TestSecretServiceHelper(t *testing.T) {
 	t.Skip("test requires gnome-keyring but travis CI doesn't have it")
 	creds := &credentials.Credentials{
-		ServerURL: "https://foobar.docker.io:2376/v1",
+		ServerURL: "https://foobar.example.com:2376/v1",
 		Username:  "foobar",
 		Secret:    "foobarbaz",
 	}
@@ -19,16 +21,15 @@ func TestSecretServiceHelper(t *testing.T) {
 	helper := Secretservice{}
 	// Check how many docker credentials we have when starting the test
-	old_auths, err := helper.List()
+	oldAuths, err := helper.List()
 	if err != nil {
 		t.Fatal(err)
 	}
 	// If any docker credentials with the tests values we are providing, we
 	// remove them as they probably come from a previous failed test
-	for k, v := range old_auths {
+	for k, v := range oldAuths {
 		if strings.Compare(k, creds.ServerURL) == 0 && strings.Compare(v, creds.Username) == 0 {
 			if err := helper.Delete(creds.ServerURL); err != nil {
 				t.Fatal(err)
 			}
@@ -36,7 +37,7 @@ func TestSecretServiceHelper(t *testing.T) {
 	}
 	// Check again how many docker credentials we have when starting the test
-	old_auths, err = helper.List()
+	oldAuths, err = helper.List()
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -61,11 +62,11 @@ func TestSecretServiceHelper(t *testing.T) {
 	}
 	// We should have one more credential than before adding
-	new_auths, err := helper.List()
+	newAuths, err := helper.List()
-	if err != nil || (len(new_auths)-len(old_auths) != 1) {
+	if err != nil || (len(newAuths)-len(oldAuths) != 1) {
 		t.Fatal(err)
 	}
-	old_auths = new_auths
+	oldAuths = newAuths
 	// Deleting the credentials associated to current server url should succeed
 	if err := helper.Delete(creds.ServerURL); err != nil {
@@ -73,8 +74,8 @@ func TestSecretServiceHelper(t *testing.T) {
 	}
 	// We should have one less credential than before deleting
-	new_auths, err = helper.List()
+	newAuths, err = helper.List()
-	if err != nil || (len(old_auths)-len(new_auths) != 1) {
+	if err != nil || (len(oldAuths)-len(newAuths) != 1) {
 		t.Fatal(err)
 	}
 }
@@ -0,0 +1 @@
 *.go text eol=lf
@@ -0,0 +1,25 @@
 # Compiled Object files, Static and Dynamic libs (Shared Objects)
 *.o
 *.a
 *.so
 # Folders
 _obj
 _test
 # Architecture specific extensions/prefixes
 *.[568vq]
 [568vq].out
 *.cgo1.go
 *.cgo2.c
 _cgo_defun.c
 _cgo_gotypes.go
 _cgo_export.*
 _testmain.go
 *.exe
 *.test
 coverage.txt
@@ -0,0 +1,145 @@
 wincred
 =======
 Go wrapper around the Windows Credential Manager API functions.
 [![GitHub release](https://img.shields.io/github/release/danieljoos/wincred.svg?style=flat-square)](https://github.com/danieljoos/wincred/releases/latest)
 [![Test Status](https://img.shields.io/github/actions/workflow/status/danieljoos/wincred/test.yml?label=test&logo=github&style=flat-square)](https://github.com/danieljoos/wincred/actions?query=workflow%3Atest)
 [![Go Report Card](https://goreportcard.com/badge/github.com/danieljoos/wincred)](https://goreportcard.com/report/github.com/danieljoos/wincred)
 [![Codecov](https://img.shields.io/codecov/c/github/danieljoos/wincred?logo=codecov&style=flat-square)](https://codecov.io/gh/danieljoos/wincred)
 [![PkgGoDev](https://img.shields.io/badge/go.dev-docs-007d9c?logo=go&logoColor=white&style=flat-square)](https://pkg.go.dev/github.com/danieljoos/wincred)
 Installation
 ------------
 ```Go
 go get github.com/danieljoos/wincred
 ```
 Usage
 -----
 See the following examples:
 ### Create and store a new generic credential object
 ```Go
 package main
 import (
    "fmt"
    "github.com/danieljoos/wincred"
 )
 func main() {
    cred := wincred.NewGenericCredential("myGoApplication")
    cred.CredentialBlob = []byte("my secret")
    err := cred.Write()
    if err != nil {
        fmt.Println(err)
    }
 } 
 ```
 ### Retrieve a credential object
 ```Go
 package main
 import (
    "fmt"
    "github.com/danieljoos/wincred"
 )
 func main() {
    cred, err := wincred.GetGenericCredential("myGoApplication")
    if err == nil {
        fmt.Println(string(cred.CredentialBlob))
    }
 } 
 ```
 ### Remove a credential object
 ```Go
 package main
 import (
    "fmt"
    "github.com/danieljoos/wincred"
 )
 func main() {
    cred, err := wincred.GetGenericCredential("myGoApplication")
    if err != nil {
        fmt.Println(err)
        return
    }
    cred.Delete()
 } 
 ```
 ### List all available credentials
 ```Go
 package main
 import (
    "fmt"
    "github.com/danieljoos/wincred"
 )
 func main() {
    creds, err := wincred.List()
    if err != nil {
        fmt.Println(err)
        return
    }
    for i := range(creds) {
        fmt.Println(creds[i].TargetName)
    }
 }
 ```
 Hints
 -----
 ### Encoding
 The credential objects simply store byte arrays without specific meaning or encoding.
 For sharing between different applications, it might make sense to apply an explicit string encoding - for example **UTF-16 LE** (used nearly everywhere in the Win32 API).
 ```Go
 package main
 import (
 	"fmt"
 	"os"
 	"github.com/danieljoos/wincred"
 	"golang.org/x/text/encoding/unicode"
 	"golang.org/x/text/transform"
 )
 func main() {
 	cred := wincred.NewGenericCredential("myGoApplication")
 	encoder := unicode.UTF16(unicode.LittleEndian, unicode.IgnoreBOM).NewEncoder()
 	blob, _, err := transform.Bytes(encoder, []byte("mysecret"))
 	if err != nil {
 		fmt.Println(err)
 		os.Exit(1)
 	}
 	cred.CredentialBlob = blob
 	err = cred.Write()
 	if err != nil {
 		fmt.Println(err)
 		os.Exit(1)
 	}
 }
 ```
 ### Limitations
 The size of a credential blob is limited to **2560 Bytes** by the Windows API.
@@ -1,88 +1,83 @@
 // +build windows
 package wincred
 import (
 	"encoding/binary"
 	"reflect"
 	"syscall"
 	"time"
 	"unicode/utf16"
 	"unsafe"
 	syscall "golang.org/x/sys/windows"
 )
-var nullPointer = unsafe.Pointer(uintptr(0))
+// utf16ToByte creates a byte array from a given UTF 16 char array.
 // Create a Go string using a pointer to a zero-terminated UTF 16 encoded string.
 // See github.com/AllenDang/w32
 func utf16PtrToString(wstr *uint16) string {
 	if wstr != nil {
 		buf := make([]uint16, 0, 256)
 		for ptr := uintptr(unsafe.Pointer(wstr)); ; ptr += 2 {
 			rune := *(*uint16)(unsafe.Pointer(ptr))
 			if rune == 0 {
 				return string(utf16.Decode(buf))
 			}
 			buf = append(buf, rune)
 		}
 	}
 	return ""
 }
 // Create a byte array from a given UTF 16 char array
 func utf16ToByte(wstr []uint16) (result []byte) {
 	result = make([]byte, len(wstr)*2)
-	for i, _ := range wstr {
+	for i := range wstr {
 		binary.LittleEndian.PutUint16(result[(i*2):(i*2)+2], wstr[i])
 	}
 	return
 }
-// Copies the given C byte array to a Go byte array (see `C.GoBytes`)
+// utf16FromString creates a UTF16 char array from a string.
-func goBytes(src unsafe.Pointer, len uint32) []byte {
+func utf16FromString(str string) []uint16 {
-	if src == nullPointer {
+	res, err := syscall.UTF16FromString(str)
 	if err != nil {
 		return []uint16{}
 	}
 	return res
 }
 // goBytes copies the given C byte array to a Go byte array (see `C.GoBytes`).
 // This function avoids having cgo as dependency.
 func goBytes(src *byte, len uint32) []byte {
 	if src == nil || len == 0 {
 		return []byte{}
 	}
 	slice := (*[1 << 30]byte)(src)[0:len]
 	rv := make([]byte, len)
-	copy(rv, slice)
+	copy(rv, *(*[]byte)(unsafe.Pointer(&reflect.SliceHeader{
-	return rv[:]
+		Data: uintptr(unsafe.Pointer(src)),
 		Len:  int(len),
 		Cap:  int(len),
 	})))
 	return rv
 }
 // Convert the given CREDENTIAL struct to a more usable structure
-func nativeToCredential(cred *nativeCREDENTIAL) (result *Credential) {
+func sysToCredential(cred *sysCREDENTIAL) (result *Credential) {
-	if unsafe.Pointer(cred) == nullPointer {
+	if cred == nil {
 		return nil
 	}
 	result = new(Credential)
-	result.Comment = utf16PtrToString(cred.Comment)
+	result.Comment = syscall.UTF16PtrToString(cred.Comment)
-	result.TargetName = utf16PtrToString(cred.TargetName)
+	result.TargetName = syscall.UTF16PtrToString(cred.TargetName)
-	result.TargetAlias = utf16PtrToString(cred.TargetAlias)
+	result.TargetAlias = syscall.UTF16PtrToString(cred.TargetAlias)
-	result.UserName = utf16PtrToString(cred.UserName)
+	result.UserName = syscall.UTF16PtrToString(cred.UserName)
 	result.LastWritten = time.Unix(0, cred.LastWritten.Nanoseconds())
 	result.Persist = CredentialPersistence(cred.Persist)
-	result.CredentialBlob = goBytes(unsafe.Pointer(cred.CredentialBlob), cred.CredentialBlobSize)
+	result.CredentialBlob = goBytes(cred.CredentialBlob, cred.CredentialBlobSize)
 	result.Attributes = make([]CredentialAttribute, cred.AttributeCount)
-	attrSliceHeader := reflect.SliceHeader{
+	attrSlice := *(*[]sysCREDENTIAL_ATTRIBUTE)(unsafe.Pointer(&reflect.SliceHeader{
-		Data: cred.Attributes,
+		Data: uintptr(unsafe.Pointer(cred.Attributes)),
 		Len:  int(cred.AttributeCount),
 		Cap:  int(cred.AttributeCount),
-	}
+	}))
 	attrSlice := *(*[]nativeCREDENTIAL_ATTRIBUTE)(unsafe.Pointer(&attrSliceHeader))
 	for i, attr := range attrSlice {
 		resultAttr := &result.Attributes[i]
-		resultAttr.Keyword = utf16PtrToString(attr.Keyword)
+		resultAttr.Keyword = syscall.UTF16PtrToString(attr.Keyword)
-		resultAttr.Value = goBytes(unsafe.Pointer(attr.Value), attr.ValueSize)
+		resultAttr.Value = goBytes(attr.Value, attr.ValueSize)
 	}
 	return result
 }
 // Convert the given Credential object back to a CREDENTIAL struct, which can be used for calling the
 // Windows APIs
-func nativeFromCredential(cred *Credential) (result *nativeCREDENTIAL) {
+func sysFromCredential(cred *Credential) (result *sysCREDENTIAL) {
 	if cred == nil {
 		return nil
 	}
-	result = new(nativeCREDENTIAL)
+	result = new(sysCREDENTIAL)
 	result.Flags = 0
 	result.Type = 0
 	result.TargetName, _ = syscall.UTF16PtrFromString(cred.TargetName)
@@ -90,28 +85,22 @@ func nativeFromCredential(cred *Credential) (result *nativeCREDENTIAL) {
 	result.LastWritten = syscall.NsecToFiletime(cred.LastWritten.UnixNano())
 	result.CredentialBlobSize = uint32(len(cred.CredentialBlob))
 	if len(cred.CredentialBlob) > 0 {
-		result.CredentialBlob = uintptr(unsafe.Pointer(&cred.CredentialBlob[0]))
+		result.CredentialBlob = &cred.CredentialBlob[0]
 	} else {
 		result.CredentialBlob = 0
 	}
 	result.Persist = uint32(cred.Persist)
 	result.AttributeCount = uint32(len(cred.Attributes))
-	attributes := make([]nativeCREDENTIAL_ATTRIBUTE, len(cred.Attributes))
+	attributes := make([]sysCREDENTIAL_ATTRIBUTE, len(cred.Attributes))
 	if len(attributes) > 0 {
-		result.Attributes = uintptr(unsafe.Pointer(&attributes[0]))
+		result.Attributes = &attributes[0]
 	} else {
 		result.Attributes = 0
 	}
-	for i, _ := range cred.Attributes {
+	for i := range cred.Attributes {
 		inAttr := &cred.Attributes[i]
 		outAttr := &attributes[i]
 		outAttr.Keyword, _ = syscall.UTF16PtrFromString(inAttr.Keyword)
 		outAttr.Flags = 0
 		outAttr.ValueSize = uint32(len(inAttr.Value))
 		if len(inAttr.Value) > 0 {
-			outAttr.Value = uintptr(unsafe.Pointer(&inAttr.Value[0]))
+			outAttr.Value = &inAttr.Value[0]
 		} else {
 			outAttr.Value = 0
 		}
 	}
 	result.TargetAlias, _ = syscall.UTF16PtrFromString(cred.TargetAlias)
@@ -0,0 +1,11 @@
 // +build !windows
 package wincred
 func utf16ToByte(...interface{}) []byte {
 	return nil
 }
 func utf16FromString(...interface{}) []uint16 {
 	return nil
 }
@@ -1,137 +0,0 @@
 package wincred
 import (
 	"syscall"
 	"unsafe"
 )
 var (
 	modadvapi32 = syscall.NewLazyDLL("advapi32.dll")
 	procCredRead      proc = modadvapi32.NewProc("CredReadW")
 	procCredWrite     proc = modadvapi32.NewProc("CredWriteW")
 	procCredDelete    proc = modadvapi32.NewProc("CredDeleteW")
 	procCredFree      proc = modadvapi32.NewProc("CredFree")
 	procCredEnumerate proc = modadvapi32.NewProc("CredEnumerateW")
 )
 // Interface for syscall.Proc: helps testing
 type proc interface {
 	Call(a ...uintptr) (r1, r2 uintptr, lastErr error)
 }
 // http://msdn.microsoft.com/en-us/library/windows/desktop/aa374788(v=vs.85).aspx
 type nativeCREDENTIAL struct {
 	Flags              uint32
 	Type               uint32
 	TargetName         *uint16
 	Comment            *uint16
 	LastWritten        syscall.Filetime
 	CredentialBlobSize uint32
 	CredentialBlob     uintptr
 	Persist            uint32
 	AttributeCount     uint32
 	Attributes         uintptr
 	TargetAlias        *uint16
 	UserName           *uint16
 }
 // http://msdn.microsoft.com/en-us/library/windows/desktop/aa374790(v=vs.85).aspx
 type nativeCREDENTIAL_ATTRIBUTE struct {
 	Keyword   *uint16
 	Flags     uint32
 	ValueSize uint32
 	Value     uintptr
 }
 // http://msdn.microsoft.com/en-us/library/windows/desktop/aa374788(v=vs.85).aspx
 type nativeCRED_TYPE uint32
 const (
 	naCRED_TYPE_GENERIC                 nativeCRED_TYPE = 0x1
 	naCRED_TYPE_DOMAIN_PASSWORD         nativeCRED_TYPE = 0x2
 	naCRED_TYPE_DOMAIN_CERTIFICATE      nativeCRED_TYPE = 0x3
 	naCRED_TYPE_DOMAIN_VISIBLE_PASSWORD nativeCRED_TYPE = 0x4
 	naCRED_TYPE_GENERIC_CERTIFICATE     nativeCRED_TYPE = 0x5
 	naCRED_TYPE_DOMAIN_EXTENDED         nativeCRED_TYPE = 0x6
 	naERROR_NOT_FOUND = "Element not found."
 )
 // http://msdn.microsoft.com/en-us/library/windows/desktop/aa374804(v=vs.85).aspx
 func nativeCredRead(targetName string, typ nativeCRED_TYPE) (*Credential, error) {
 	var pcred uintptr
 	targetNamePtr, _ := syscall.UTF16PtrFromString(targetName)
 	ret, _, err := procCredRead.Call(
 		uintptr(unsafe.Pointer(targetNamePtr)),
 		uintptr(typ),
 		0,
 		uintptr(unsafe.Pointer(&pcred)),
 	)
 	if ret == 0 {
 		return nil, err
 	}
 	defer procCredFree.Call(pcred)
 	return nativeToCredential((*nativeCREDENTIAL)(unsafe.Pointer(pcred))), nil
 }
 // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375187(v=vs.85).aspx
 func nativeCredWrite(cred *Credential, typ nativeCRED_TYPE) error {
 	ncred := nativeFromCredential(cred)
 	ncred.Type = uint32(typ)
 	ret, _, err := procCredWrite.Call(
 		uintptr(unsafe.Pointer(ncred)),
 		0,
 	)
 	if ret == 0 {
 		return err
 	}
 	return nil
 }
 // http://msdn.microsoft.com/en-us/library/windows/desktop/aa374787(v=vs.85).aspx
 func nativeCredDelete(cred *Credential, typ nativeCRED_TYPE) error {
 	targetNamePtr, _ := syscall.UTF16PtrFromString(cred.TargetName)
 	ret, _, err := procCredDelete.Call(
 		uintptr(unsafe.Pointer(targetNamePtr)),
 		uintptr(typ),
 		0,
 	)
 	if ret == 0 {
 		return err
 	}
 	return nil
 }
 // https://msdn.microsoft.com/en-us/library/windows/desktop/aa374794(v=vs.85).aspx
 func nativeCredEnumerate(filter string, all bool) ([]*Credential, error) {
 	var count int
 	var pcreds uintptr
 	var filterPtr uintptr
 	if !all {
 		filterUtf16Ptr, _ := syscall.UTF16PtrFromString(filter)
 		filterPtr = uintptr(unsafe.Pointer(filterUtf16Ptr))
 	} else {
 		filterPtr = 0
 	}
 	ret, _, err := procCredEnumerate.Call(
 		filterPtr,
 		0,
 		uintptr(unsafe.Pointer(&count)),
 		uintptr(unsafe.Pointer(&pcreds)),
 	)
 	if ret == 0 {
 		return nil, err
 	}
 	defer procCredFree.Call(pcreds)
 	pcredsSlice := (*[1 << 30]uintptr)(unsafe.Pointer(pcreds))[:count:count]
 	creds := make([]*Credential, count)
 	for i := range creds {
 		creds[i] = nativeToCredential((*nativeCREDENTIAL)(unsafe.Pointer(pcredsSlice[i])))
 	}
 	return creds, nil
 }
@@ -0,0 +1,151 @@
 //go:build windows
 // +build windows
 package wincred
 import (
 	"reflect"
 	"runtime"
 	"syscall"
 	"unsafe"
 	"golang.org/x/sys/windows"
 )
 var (
 	modadvapi32            = windows.NewLazySystemDLL("advapi32.dll")
 	procCredRead           = modadvapi32.NewProc("CredReadW")
 	procCredWrite     proc = modadvapi32.NewProc("CredWriteW")
 	procCredDelete    proc = modadvapi32.NewProc("CredDeleteW")
 	procCredFree      proc = modadvapi32.NewProc("CredFree")
 	procCredEnumerate      = modadvapi32.NewProc("CredEnumerateW")
 )
 // Interface for syscall.Proc: helps testing
 type proc interface {
 	Call(a ...uintptr) (r1, r2 uintptr, lastErr error)
 }
 // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/ns-wincred-_credentialw
 type sysCREDENTIAL struct {
 	Flags              uint32
 	Type               uint32
 	TargetName         *uint16
 	Comment            *uint16
 	LastWritten        windows.Filetime
 	CredentialBlobSize uint32
 	CredentialBlob     *byte
 	Persist            uint32
 	AttributeCount     uint32
 	Attributes         *sysCREDENTIAL_ATTRIBUTE
 	TargetAlias        *uint16
 	UserName           *uint16
 }
 // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/ns-wincred-_credential_attributew
 type sysCREDENTIAL_ATTRIBUTE struct {
 	Keyword   *uint16
 	Flags     uint32
 	ValueSize uint32
 	Value     *byte
 }
 // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/ns-wincred-_credentialw
 type sysCRED_TYPE uint32
 const (
 	sysCRED_TYPE_GENERIC                 sysCRED_TYPE = 0x1
 	sysCRED_TYPE_DOMAIN_PASSWORD         sysCRED_TYPE = 0x2
 	sysCRED_TYPE_DOMAIN_CERTIFICATE      sysCRED_TYPE = 0x3
 	sysCRED_TYPE_DOMAIN_VISIBLE_PASSWORD sysCRED_TYPE = 0x4
 	sysCRED_TYPE_GENERIC_CERTIFICATE     sysCRED_TYPE = 0x5
 	sysCRED_TYPE_DOMAIN_EXTENDED         sysCRED_TYPE = 0x6
 	// https://docs.microsoft.com/en-us/windows/desktop/Debug/system-error-codes
 	sysERROR_NOT_FOUND         = windows.Errno(1168)
 	sysERROR_INVALID_PARAMETER = windows.Errno(87)
 	sysERROR_BAD_USERNAME      = windows.Errno(2202)
 )
 // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/nf-wincred-credreadw
 func sysCredRead(targetName string, typ sysCRED_TYPE) (*Credential, error) {
 	var pcred *sysCREDENTIAL
 	targetNamePtr, _ := windows.UTF16PtrFromString(targetName)
 	ret, _, err := syscall.SyscallN(
 		procCredRead.Addr(),
 		uintptr(unsafe.Pointer(targetNamePtr)),
 		uintptr(typ),
 		0,
 		uintptr(unsafe.Pointer(&pcred)),
 	)
 	if ret == 0 {
 		return nil, err
 	}
 	defer procCredFree.Call(uintptr(unsafe.Pointer(pcred)))
 	return sysToCredential(pcred), nil
 }
 // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/nf-wincred-credwritew
 func sysCredWrite(cred *Credential, typ sysCRED_TYPE) error {
 	ncred := sysFromCredential(cred)
 	ncred.Type = uint32(typ)
 	ret, _, err := procCredWrite.Call(
 		uintptr(unsafe.Pointer(ncred)),
 		0,
 	)
 	// Make sure everything reachable from ncred stays alive through the call.
 	runtime.KeepAlive(ncred)
 	if ret == 0 {
 		return err
 	}
 	return nil
 }
 // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/nf-wincred-creddeletew
 func sysCredDelete(cred *Credential, typ sysCRED_TYPE) error {
 	targetNamePtr, _ := windows.UTF16PtrFromString(cred.TargetName)
 	ret, _, err := procCredDelete.Call(
 		uintptr(unsafe.Pointer(targetNamePtr)),
 		uintptr(typ),
 		0,
 	)
 	if ret == 0 {
 		return err
 	}
 	return nil
 }
 // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/nf-wincred-credenumeratew
 func sysCredEnumerate(filter string, all bool) ([]*Credential, error) {
 	var count int
 	var pcreds uintptr
 	var filterPtr *uint16
 	if !all {
 		filterPtr, _ = windows.UTF16PtrFromString(filter)
 	}
 	ret, _, err := syscall.SyscallN(
 		procCredEnumerate.Addr(),
 		uintptr(unsafe.Pointer(filterPtr)),
 		0,
 		uintptr(unsafe.Pointer(&count)),
 		uintptr(unsafe.Pointer(&pcreds)),
 	)
 	if ret == 0 {
 		return nil, err
 	}
 	defer procCredFree.Call(pcreds)
 	credsSlice := *(*[]*sysCREDENTIAL)(unsafe.Pointer(&reflect.SliceHeader{
 		Data: pcreds,
 		Len:  count,
 		Cap:  count,
 	}))
 	creds := make([]*Credential, count, count)
 	for i, cred := range credsSlice {
 		creds[i] = sysToCredential(cred)
 	}
 	return creds, nil
 }
@@ -0,0 +1,38 @@
 //go:build !windows
 // +build !windows
 package wincred
 import (
 	"errors"
 	"syscall"
 )
 const (
 	sysCRED_TYPE_GENERIC                 = 0
 	sysCRED_TYPE_DOMAIN_PASSWORD         = 0
 	sysCRED_TYPE_DOMAIN_CERTIFICATE      = 0
 	sysCRED_TYPE_DOMAIN_VISIBLE_PASSWORD = 0
 	sysCRED_TYPE_GENERIC_CERTIFICATE     = 0
 	sysCRED_TYPE_DOMAIN_EXTENDED         = 0
 	sysERROR_NOT_FOUND         = syscall.Errno(1)
 	sysERROR_INVALID_PARAMETER = syscall.Errno(1)
 	sysERROR_BAD_USERNAME      = syscall.Errno(1)
 )
 func sysCredRead(...interface{}) (*Credential, error) {
 	return nil, errors.New("Operation not supported")
 }
 func sysCredWrite(...interface{}) error {
 	return errors.New("Operation not supported")
 }
 func sysCredDelete(...interface{}) error {
 	return errors.New("Operation not supported")
 }
 func sysCredEnumerate(...interface{}) ([]*Credential, error) {
 	return nil, errors.New("Operation not supported")
 }
@@ -4,19 +4,38 @@ import (
 	"time"
 )
 // CredentialPersistence describes one of three persistence modes of a credential.
 // A detailed description of the available modes can be found on
 // Docs: https://docs.microsoft.com/en-us/windows/desktop/api/wincred/ns-wincred-_credentialw
 type CredentialPersistence uint32
 const (
 	// PersistSession indicates that the credential only persists for the life
 	// of the current Windows login session. Such a credential is not visible in
 	// any other logon session, even from the same user.
 	PersistSession CredentialPersistence = 0x1
 	// PersistLocalMachine indicates that the credential persists for this and
 	// all subsequent logon sessions on this local machine/computer. It is
 	// however not visible for logon sessions of this user on a different
 	// machine.
 	PersistLocalMachine CredentialPersistence = 0x2
 	// PersistEnterprise indicates that the credential persists for this and all
 	// subsequent logon sessions for this user. It is also visible for logon
 	// sessions on different computers.
 	PersistEnterprise CredentialPersistence = 0x3
 )
 // CredentialAttribute represents an application-specific attribute of a credential.
 type CredentialAttribute struct {
 	Keyword string
 	Value   []byte
 }
 // Credential is the basic credential structure.
 // A credential is identified by its target name.
 // The actual credential secret is available in the CredentialBlob field.
 type Credential struct {
 	TargetName     string
 	Comment        string
@@ -28,10 +47,23 @@ type Credential struct {
 	Persist        CredentialPersistence
 }
 // GenericCredential holds a credential for generic usage.
 // It is typically defined and used by applications that need to manage user
 // secrets.
 //
 // More information about the available kinds of credentials of the Windows
 // Credential Management API can be found on Docs:
 // https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/kinds-of-credentials
 type GenericCredential struct {
 	Credential
 }
 // DomainPassword holds a domain credential that is typically used by the
 // operating system for user logon.
 //
 // More information about the available kinds of credentials of the Windows
 // Credential Management API can be found on Docs:
 // https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/kinds-of-credentials
 type DomainPassword struct {
 	Credential
 }
@@ -1,19 +1,39 @@
 // Package wincred provides primitives for accessing the Windows Credentials Management API.
 // This includes functions for retrieval, listing and storage of credentials as well as Go structures for convenient access to the credential data.
 //
 // A more detailed description of Windows Credentials Management can be found on
 // Docs: https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/credentials-management
 package wincred
-import (
+import "errors"
-	"syscall"
+
 const (
 	// ErrElementNotFound is the error that is returned if a requested element cannot be found.
 	// This error constant can be used to check if a credential could not be found.
 	ErrElementNotFound = sysERROR_NOT_FOUND
 	// ErrInvalidParameter is the error that is returned for invalid parameters.
 	// This error constant can be used to check if the given function parameters were invalid.
 	// For example when trying to create a new generic credential with an empty target name.
 	ErrInvalidParameter = sysERROR_INVALID_PARAMETER
 	// ErrBadUsername is returned when the credential's username is invalid.
 	ErrBadUsername = sysERROR_BAD_USERNAME
 )
-// Get the generic credential with the given name from Windows credential manager
+// GetGenericCredential fetches the generic credential with the given name from Windows credential manager.
 // It returns nil and an error if the credential could not be found or an error occurred.
 func GetGenericCredential(targetName string) (*GenericCredential, error) {
-	cred, err := nativeCredRead(targetName, naCRED_TYPE_GENERIC)
+	cred, err := sysCredRead(targetName, sysCRED_TYPE_GENERIC)
 	if cred != nil {
-		return &GenericCredential{*cred}, err
+		return &GenericCredential{Credential: *cred}, err
 	}
 	return nil, err
 }
-// Create a new generic credential with the given name
+// NewGenericCredential creates a new generic credential object with the given name.
 // The persist mode of the newly created object is set to a default value that indicates local-machine-wide storage.
 // The credential object is NOT yet persisted to the Windows credential vault.
 func NewGenericCredential(targetName string) (result *GenericCredential) {
 	result = new(GenericCredential)
 	result.TargetName = targetName
@@ -21,28 +41,31 @@ func NewGenericCredential(targetName string) (result *GenericCredential) {
 	return
 }
-// Persist the credential to Windows credential manager
+// Write persists the generic credential object to Windows credential manager.
 func (t *GenericCredential) Write() (err error) {
-	err = nativeCredWrite(&t.Credential, naCRED_TYPE_GENERIC)
+	err = sysCredWrite(&t.Credential, sysCRED_TYPE_GENERIC)
 	return
 }
-// Delete the credential from Windows credential manager
+// Delete removes the credential object from Windows credential manager.
 func (t *GenericCredential) Delete() (err error) {
-	err = nativeCredDelete(&t.Credential, naCRED_TYPE_GENERIC)
+	err = sysCredDelete(&t.Credential, sysCRED_TYPE_GENERIC)
 	return
 }
-// Get the domain password credential with the given target host name
+// GetDomainPassword fetches the domain-password credential with the given target host name from Windows credential manager.
 // It returns nil and an error if the credential could not be found or an error occurred.
 func GetDomainPassword(targetName string) (*DomainPassword, error) {
-	cred, err := nativeCredRead(targetName, naCRED_TYPE_DOMAIN_PASSWORD)
+	cred, err := sysCredRead(targetName, sysCRED_TYPE_DOMAIN_PASSWORD)
 	if cred != nil {
-		return &DomainPassword{*cred}, err
+		return &DomainPassword{Credential: *cred}, err
 	}
 	return nil, err
 }
-// Create a new domain password credential used for login to the given target host name
+// NewDomainPassword creates a new domain-password credential used for login to the given target host name.
 // The  persist mode of the newly created object is set to a default value that indicates local-machine-wide storage.
 // The credential object is NOT yet persisted to the Windows credential vault.
 func NewDomainPassword(targetName string) (result *DomainPassword) {
 	result = new(DomainPassword)
 	result.TargetName = targetName
@@ -50,28 +73,39 @@ func NewDomainPassword(targetName string) (result *DomainPassword) {
 	return
 }
-// Persist the domain password credential to Windows credential manager
+// Write persists the domain-password credential to Windows credential manager.
 func (t *DomainPassword) Write() (err error) {
-	err = nativeCredWrite(&t.Credential, naCRED_TYPE_DOMAIN_PASSWORD)
+	err = sysCredWrite(&t.Credential, sysCRED_TYPE_DOMAIN_PASSWORD)
 	return
 }
-// Delete the domain password credential from Windows credential manager
+// Delete removes the domain-password credential from Windows credential manager.
 func (t *DomainPassword) Delete() (err error) {
-	err = nativeCredDelete(&t.Credential, naCRED_TYPE_DOMAIN_PASSWORD)
+	err = sysCredDelete(&t.Credential, sysCRED_TYPE_DOMAIN_PASSWORD)
 	return
 }
-// Set the CredentialBlob field of a domain password credential
+// SetPassword sets the CredentialBlob field of a domain password credential to the given string.
 // using an UTF16 encoded password string
 func (t *DomainPassword) SetPassword(pw string) {
-	t.CredentialBlob = utf16ToByte(syscall.StringToUTF16(pw))
+	t.CredentialBlob = utf16ToByte(utf16FromString(pw))
 }
-// List the contents of the Credentials store
+// List retrieves all credentials of the Credentials store.
 func List() ([]*Credential, error) {
-	creds, err := nativeCredEnumerate("", true)
+	creds, err := sysCredEnumerate("", true)
-	if err != nil && err.Error() == naERROR_NOT_FOUND {
+	if err != nil && errors.Is(err, ErrElementNotFound) {
 		// Ignore ERROR_NOT_FOUND and return an empty list instead
 		creds = []*Credential{}
 		err = nil
 	}
 	return creds, err
 }
 // FilteredList retrieves the list of credentials from the Credentials store that match the given filter.
 // The filter string defines the prefix followed by an asterisk for the `TargetName` attribute of the credentials.
 func FilteredList(filter string) ([]*Credential, error) {
 	creds, err := sysCredEnumerate(filter, false)
 	if err != nil && errors.Is(err, ErrElementNotFound) {
 		// Ignore ERROR_NOT_FOUND and return an empty list instead
 		creds = []*Credential{}
 		err = nil
@@ -0,0 +1,26 @@
 # Compiled Object files, Static and Dynamic libs (Shared Objects)
 *.o
 *.a
 *.so
 # Folders
 _obj
 _test
 # Architecture specific extensions/prefixes
 *.[568vq]
 [568vq].out
 *.cgo1.go
 *.cgo2.c
 _cgo_defun.c
 _cgo_gotypes.go
 _cgo_export.*
 _testmain.go
 *.exe
 *.test
 *.prof
 vendor
@@ -0,0 +1,13 @@
 linters-settings:
  gocritic:
    disabled-checks:
      - ifElseChain
      - elseif
 linters:
  enable:
    - gofmt
    - gocritic
    - unconvert
    - revive
    - govet
@@ -0,0 +1,22 @@
 The MIT License (MIT)
 Copyright (c) 2015 Keybase
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
@@ -0,0 +1,126 @@
 # Go Keychain
 [![Build Status](https://github.com/keybase/go-keychain/actions/workflows/ci.yml/badge.svg)](https://github.com/keybase/go-keychain/actions)
 A library for accessing the Keychain for macOS, iOS, and Linux in Go (golang).
 Requires macOS 10.9 or greater and iOS 8 or greater. On Linux, communicates to
 a provider of the DBUS SecretService spec like gnome-keyring or ksecretservice.
 ```go
 import "github.com/keybase/go-keychain"
 ```
 ## Mac/iOS Usage
 The API is meant to mirror the macOS/iOS Keychain API and is not necessarily idiomatic go.
 #### Add Item
 ```go
 item := keychain.NewItem()
 item.SetSecClass(keychain.SecClassGenericPassword)
 item.SetService("MyService")
 item.SetAccount("gabriel")
 item.SetLabel("A label")
 item.SetAccessGroup("A123456789.group.com.mycorp")
 item.SetData([]byte("toomanysecrets"))
 item.SetSynchronizable(keychain.SynchronizableNo)
 item.SetAccessible(keychain.AccessibleWhenUnlocked)
 err := keychain.AddItem(item)
 if err == keychain.ErrorDuplicateItem {
  // Duplicate
 }
 ```
 #### Query Item
 Query for multiple results, returning attributes:
 ```go
 query := keychain.NewItem()
 query.SetSecClass(keychain.SecClassGenericPassword)
 query.SetService(service)
 query.SetAccount(account)
 query.SetAccessGroup(accessGroup)
 query.SetMatchLimit(keychain.MatchLimitAll)
 query.SetReturnAttributes(true)
 results, err := keychain.QueryItem(query)
 if err != nil {
  // Error
 } else {
  for _, r := range results {
    fmt.Printf("%#v\n", r)
  }
 }
 ```
 Query for a single result, returning data:
 ```go
 query := keychain.NewItem()
 query.SetSecClass(keychain.SecClassGenericPassword)
 query.SetService(service)
 query.SetAccount(account)
 query.SetAccessGroup(accessGroup)
 query.SetMatchLimit(keychain.MatchLimitOne)
 query.SetReturnData(true)
 results, err := keychain.QueryItem(query)
 if err != nil {
  // Error
 } else if len(results) != 1 {
  // Not found
 } else {
  password := string(results[0].Data)
 }
 ```
 #### Delete Item
 Delete a generic password item with service and account:
 ```go
 item := keychain.NewItem()
 item.SetSecClass(keychain.SecClassGenericPassword)
 item.SetService(service)
 item.SetAccount(account)
 err := keychain.DeleteItem(item)
 ```
 ### Other
 There are some convenience methods for generic password:
 ```go
 // Create generic password item with service, account, label, password, access group
 item := keychain.NewGenericPassword("MyService", "gabriel", "A label", []byte("toomanysecrets"), "A123456789.group.com.mycorp")
 item.SetSynchronizable(keychain.SynchronizableNo)
 item.SetAccessible(keychain.AccessibleWhenUnlocked)
 err := keychain.AddItem(item)
 if err == keychain.ErrorDuplicateItem {
  // Duplicate
 }
 password, err := keychain.GetGenericPassword("MyService", "gabriel", "A label", "A123456789.group.com.mycorp")
 accounts, err := keychain.GetGenericPasswordAccounts("MyService")
 // Should have 1 account == "gabriel"
 err := keychain.DeleteGenericPasswordItem("MyService", "gabriel")
 if err == keychain.ErrorItemNotFound {
  // Not found
 }
 ```
 ## iOS
 Bindable package in `bind`. iOS project in `ios`. Run that project to test iOS.
 To re-generate framework:
 ```
 (cd bind && gomobile bind -target=ios -tags=ios -o ../ios/bind.framework)
 ```
 Post issues to: https://github.com/keybase/keybase-issues
@@ -0,0 +1,370 @@
 //go:build darwin || ios
 // +build darwin ios
 package keychain
 /*
 #cgo LDFLAGS: -framework CoreFoundation
 #include <CoreFoundation/CoreFoundation.h>
 // Can't cast a *uintptr to *unsafe.Pointer in Go, and casting
 // C.CFTypeRef to unsafe.Pointer is unsafe in Go, so have shim functions to
 // do the casting in C (where it's safe).
 // We add a suffix to the C functions below, because we copied this
 // file from go-kext, which means that any project that depends on this
 // package and go-kext would run into duplicate symbol errors otherwise.
 //
 // TODO: Move this file into its own package depended on by go-kext
 // and this package.
 CFDictionaryRef CFDictionaryCreateSafe2(CFAllocatorRef allocator, const uintptr_t *keys, const uintptr_t *values, CFIndex numValues, const CFDictionaryKeyCallBacks *keyCallBacks, const CFDictionaryValueCallBacks *valueCallBacks) {
  return CFDictionaryCreate(allocator, (const void **)keys, (const void **)values, numValues, keyCallBacks, valueCallBacks);
 }
 CFArrayRef CFArrayCreateSafe2(CFAllocatorRef allocator, const uintptr_t *values, CFIndex numValues, const CFArrayCallBacks *callBacks) {
  return CFArrayCreate(allocator, (const void **)values, numValues, callBacks);
 }
 */
 import "C"
 import (
 	"errors"
 	"fmt"
 	"math"
 	"reflect"
 	"unicode/utf8"
 	"unsafe"
 )
 // Release releases memory pointed to by a CFTypeRef.
 func Release(ref C.CFTypeRef) {
 	C.CFRelease(ref)
 }
 // BytesToCFData will return a CFDataRef and if non-nil, must be released with
 // Release(ref).
 func BytesToCFData(b []byte) (C.CFDataRef, error) {
 	if uint64(len(b)) > math.MaxUint32 {
 		return 0, errors.New("Data is too large")
 	}
 	var p *C.UInt8
 	if len(b) > 0 {
 		p = (*C.UInt8)(&b[0])
 	}
 	cfData := C.CFDataCreate(C.kCFAllocatorDefault, p, C.CFIndex(len(b)))
 	if cfData == 0 {
 		return 0, fmt.Errorf("CFDataCreate failed")
 	}
 	return cfData, nil
 }
 // CFDataToBytes converts CFData to bytes.
 func CFDataToBytes(cfData C.CFDataRef) ([]byte, error) {
 	return C.GoBytes(unsafe.Pointer(C.CFDataGetBytePtr(cfData)), C.int(C.CFDataGetLength(cfData))), nil
 }
 // MapToCFDictionary will return a CFDictionaryRef and if non-nil, must be
 // released with Release(ref).
 func MapToCFDictionary(m map[C.CFTypeRef]C.CFTypeRef) (C.CFDictionaryRef, error) {
 	var keys, values []C.uintptr_t
 	for key, value := range m {
 		keys = append(keys, C.uintptr_t(key))
 		values = append(values, C.uintptr_t(value))
 	}
 	numValues := len(values)
 	var keysPointer, valuesPointer *C.uintptr_t
 	if numValues > 0 {
 		keysPointer = &keys[0]
 		valuesPointer = &values[0]
 	}
 	cfDict := C.CFDictionaryCreateSafe2(C.kCFAllocatorDefault, keysPointer, valuesPointer, C.CFIndex(numValues),
 		&C.kCFTypeDictionaryKeyCallBacks, &C.kCFTypeDictionaryValueCallBacks) //nolint
 	if cfDict == 0 {
 		return 0, fmt.Errorf("CFDictionaryCreate failed")
 	}
 	return cfDict, nil
 }
 // CFDictionaryToMap converts CFDictionaryRef to a map.
 func CFDictionaryToMap(cfDict C.CFDictionaryRef) (m map[C.CFTypeRef]C.CFTypeRef) {
 	count := C.CFDictionaryGetCount(cfDict)
 	if count > 0 {
 		keys := make([]C.CFTypeRef, count)
 		values := make([]C.CFTypeRef, count)
 		C.CFDictionaryGetKeysAndValues(cfDict, (*unsafe.Pointer)(unsafe.Pointer(&keys[0])), (*unsafe.Pointer)(unsafe.Pointer(&values[0])))
 		m = make(map[C.CFTypeRef]C.CFTypeRef, count)
 		for i := C.CFIndex(0); i < count; i++ {
 			m[keys[i]] = values[i]
 		}
 	}
 	return
 }
 // Int32ToCFNumber will return a CFNumberRef, must be released with Release(ref).
 func Int32ToCFNumber(u int32) C.CFNumberRef {
 	sint := C.SInt32(u)
 	p := unsafe.Pointer(&sint)
 	return C.CFNumberCreate(C.kCFAllocatorDefault, C.kCFNumberSInt32Type, p)
 }
 // StringToCFString will return a CFStringRef and if non-nil, must be released with
 // Release(ref).
 func StringToCFString(s string) (C.CFStringRef, error) {
 	if !utf8.ValidString(s) {
 		return 0, errors.New("Invalid UTF-8 string")
 	}
 	if uint64(len(s)) > math.MaxUint32 {
 		return 0, errors.New("String is too large")
 	}
 	bytes := []byte(s)
 	var p *C.UInt8
 	if len(bytes) > 0 {
 		p = (*C.UInt8)(&bytes[0])
 	}
 	return C.CFStringCreateWithBytes(C.kCFAllocatorDefault, p, C.CFIndex(len(s)), C.kCFStringEncodingUTF8, C.false), nil
 }
 // CFStringToString converts a CFStringRef to a string.
 func CFStringToString(s C.CFStringRef) string {
 	p := C.CFStringGetCStringPtr(s, C.kCFStringEncodingUTF8)
 	if p != nil {
 		return C.GoString(p)
 	}
 	length := C.CFStringGetLength(s)
 	if length == 0 {
 		return ""
 	}
 	maxBufLen := C.CFStringGetMaximumSizeForEncoding(length, C.kCFStringEncodingUTF8)
 	if maxBufLen == 0 {
 		return ""
 	}
 	buf := make([]byte, maxBufLen)
 	var usedBufLen C.CFIndex
 	_ = C.CFStringGetBytes(s, C.CFRange{0, length}, C.kCFStringEncodingUTF8, C.UInt8(0), C.false, (*C.UInt8)(&buf[0]), maxBufLen, &usedBufLen)
 	return string(buf[:usedBufLen])
 }
 // ArrayToCFArray will return a CFArrayRef and if non-nil, must be released with
 // Release(ref).
 func ArrayToCFArray(a []C.CFTypeRef) C.CFArrayRef {
 	var values []C.uintptr_t
 	for _, value := range a {
 		values = append(values, C.uintptr_t(value))
 	}
 	numValues := len(values)
 	var valuesPointer *C.uintptr_t
 	if numValues > 0 {
 		valuesPointer = &values[0]
 	}
 	return C.CFArrayCreateSafe2(C.kCFAllocatorDefault, valuesPointer, C.CFIndex(numValues), &C.kCFTypeArrayCallBacks) //nolint
 }
 // CFArrayToArray converts a CFArrayRef to an array of CFTypes.
 func CFArrayToArray(cfArray C.CFArrayRef) (a []C.CFTypeRef) {
 	count := C.CFArrayGetCount(cfArray)
 	if count > 0 {
 		a = make([]C.CFTypeRef, count)
 		C.CFArrayGetValues(cfArray, C.CFRange{0, count}, (*unsafe.Pointer)(unsafe.Pointer(&a[0])))
 	}
 	return
 }
 // Convertable knows how to convert an instance to a CFTypeRef.
 type Convertable interface {
 	Convert() (C.CFTypeRef, error)
 }
 // ConvertMapToCFDictionary converts a map to a CFDictionary and if non-nil,
 // must be released with Release(ref).
 func ConvertMapToCFDictionary(attr map[string]interface{}) (C.CFDictionaryRef, error) {
 	m := make(map[C.CFTypeRef]C.CFTypeRef)
 	for key, i := range attr {
 		var valueRef C.CFTypeRef
 		switch val := i.(type) {
 		default:
 			return 0, fmt.Errorf("Unsupported value type: %v", reflect.TypeOf(i))
 		case C.CFTypeRef:
 			valueRef = val
 		case bool:
 			if val {
 				valueRef = C.CFTypeRef(C.kCFBooleanTrue)
 			} else {
 				valueRef = C.CFTypeRef(C.kCFBooleanFalse)
 			}
 		case int32:
 			valueRef = C.CFTypeRef(Int32ToCFNumber(val))
 			defer Release(valueRef)
 		case []byte:
 			bytesRef, err := BytesToCFData(val)
 			if err != nil {
 				return 0, err
 			}
 			valueRef = C.CFTypeRef(bytesRef)
 			defer Release(valueRef)
 		case string:
 			stringRef, err := StringToCFString(val)
 			if err != nil {
 				return 0, err
 			}
 			valueRef = C.CFTypeRef(stringRef)
 			defer Release(valueRef)
 		case Convertable:
 			convertedRef, err := val.Convert()
 			if err != nil {
 				return 0, err
 			}
 			valueRef = convertedRef
 			defer Release(valueRef)
 		}
 		keyRef, err := StringToCFString(key)
 		if err != nil {
 			return 0, err
 		}
 		m[C.CFTypeRef(keyRef)] = valueRef
 		defer Release(C.CFTypeRef(keyRef))
 	}
 	cfDict, err := MapToCFDictionary(m)
 	if err != nil {
 		return 0, err
 	}
 	return cfDict, nil
 }
 // CFTypeDescription returns type string for CFTypeRef.
 func CFTypeDescription(ref C.CFTypeRef) string {
 	typeID := C.CFGetTypeID(ref)
 	typeDesc := C.CFCopyTypeIDDescription(typeID)
 	defer Release(C.CFTypeRef(typeDesc))
 	return CFStringToString(typeDesc)
 }
 // Convert converts a CFTypeRef to a go instance.
 func Convert(ref C.CFTypeRef) (interface{}, error) {
 	typeID := C.CFGetTypeID(ref)
 	if typeID == C.CFStringGetTypeID() {
 		return CFStringToString(C.CFStringRef(ref)), nil
 	} else if typeID == C.CFDictionaryGetTypeID() {
 		return ConvertCFDictionary(C.CFDictionaryRef(ref))
 	} else if typeID == C.CFArrayGetTypeID() {
 		arr := CFArrayToArray(C.CFArrayRef(ref))
 		results := make([]interface{}, 0, len(arr))
 		for _, ref := range arr {
 			v, err := Convert(ref)
 			if err != nil {
 				return nil, err
 			}
 			results = append(results, v)
 		}
 		return results, nil
 	} else if typeID == C.CFDataGetTypeID() {
 		b, err := CFDataToBytes(C.CFDataRef(ref))
 		if err != nil {
 			return nil, err
 		}
 		return b, nil
 	} else if typeID == C.CFNumberGetTypeID() {
 		return CFNumberToInterface(C.CFNumberRef(ref)), nil
 	} else if typeID == C.CFBooleanGetTypeID() {
 		if C.CFBooleanGetValue(C.CFBooleanRef(ref)) != 0 {
 			return true, nil
 		}
 		return false, nil
 	}
 	return nil, fmt.Errorf("Invalid type: %s", CFTypeDescription(ref))
 }
 // ConvertCFDictionary converts a CFDictionary to map (deep).
 func ConvertCFDictionary(d C.CFDictionaryRef) (map[interface{}]interface{}, error) {
 	m := CFDictionaryToMap(d)
 	result := make(map[interface{}]interface{})
 	for k, v := range m {
 		gk, err := Convert(k)
 		if err != nil {
 			return nil, err
 		}
 		gv, err := Convert(v)
 		if err != nil {
 			return nil, err
 		}
 		result[gk] = gv
 	}
 	return result, nil
 }
 // CFNumberToInterface converts the CFNumberRef to the most appropriate numeric
 // type.
 // This code is from github.com/kballard/go-osx-plist.
 func CFNumberToInterface(cfNumber C.CFNumberRef) interface{} {
 	typ := C.CFNumberGetType(cfNumber)
 	switch typ {
 	case C.kCFNumberSInt8Type:
 		var sint C.SInt8
 		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&sint)) //nolint
 		return int8(sint)
 	case C.kCFNumberSInt16Type:
 		var sint C.SInt16
 		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&sint)) //nolint
 		return int16(sint)
 	case C.kCFNumberSInt32Type:
 		var sint C.SInt32
 		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&sint)) //nolint
 		return int32(sint)
 	case C.kCFNumberSInt64Type:
 		var sint C.SInt64
 		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&sint)) //nolint
 		return int64(sint)
 	case C.kCFNumberFloat32Type:
 		var float C.Float32
 		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&float)) //nolint
 		return float32(float)
 	case C.kCFNumberFloat64Type:
 		var float C.Float64
 		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&float)) //nolint
 		return float64(float)
 	case C.kCFNumberCharType:
 		var char C.char
 		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&char)) //nolint
 		return byte(char)
 	case C.kCFNumberShortType:
 		var short C.short
 		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&short)) //nolint
 		return int16(short)
 	case C.kCFNumberIntType:
 		var i C.int
 		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&i)) //nolint
 		return int32(i)
 	case C.kCFNumberLongType:
 		var long C.long
 		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&long)) //nolint
 		return int(long)
 	case C.kCFNumberLongLongType:
 		// This is the only type that may actually overflow us
 		var longlong C.longlong
 		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&longlong)) //nolint
 		return int64(longlong)
 	case C.kCFNumberFloatType:
 		var float C.float
 		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&float)) //nolint
 		return float32(float)
 	case C.kCFNumberDoubleType:
 		var double C.double
 		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&double)) //nolint
 		return float64(double)
 	case C.kCFNumberCFIndexType:
 		// CFIndex is a long
 		var index C.CFIndex
 		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&index)) //nolint
 		return int(index)
 	case C.kCFNumberNSIntegerType:
 		// We don't have a definition of NSInteger, but we know it's either an int or a long
 		var nsInt C.long
 		C.CFNumberGetValue(cfNumber, typ, unsafe.Pointer(&nsInt)) //nolint
 		return int(nsInt)
 	}
 	panic("Unknown CFNumber type")
 }
@@ -0,0 +1,69 @@
 //go:build darwin || ios
 // +build darwin ios
 package keychain
 /*
 #cgo LDFLAGS: -framework CoreFoundation
 #include <CoreFoundation/CoreFoundation.h>
 */
 import "C"
 import (
 	"math"
 	"time"
 )
 const nsPerSec = 1000 * 1000 * 1000
 // absoluteTimeIntervalSince1970() returns the number of seconds from
 // the Unix epoch (1970-01-01T00:00:00+00:00) to the Core Foundation
 // absolute reference date (2001-01-01T00:00:00+00:00). It should be
 // exactly 978307200.
 func absoluteTimeIntervalSince1970() int64 {
 	return int64(C.kCFAbsoluteTimeIntervalSince1970)
 }
 func unixToAbsoluteTime(s int64, ns int64) C.CFAbsoluteTime {
 	// Subtract as int64s first before converting to floating
 	// point to minimize precision loss (assuming the given time
 	// isn't much earlier than the Core Foundation absolute
 	// reference date).
 	abs := s - absoluteTimeIntervalSince1970()
 	return C.CFAbsoluteTime(abs) + C.CFTimeInterval(ns)/nsPerSec
 }
 func absoluteTimeToUnix(abs C.CFAbsoluteTime) (int64, int64) {
 	i, frac := math.Modf(float64(abs))
 	return int64(i) + absoluteTimeIntervalSince1970(), int64(frac * nsPerSec)
 }
 // TimeToCFDate will convert the given time.Time to a CFDateRef, which
 // must be released with Release(ref).
 func TimeToCFDate(t time.Time) C.CFDateRef {
 	s := t.Unix()
 	ns := int64(t.Nanosecond())
 	abs := unixToAbsoluteTime(s, ns)
 	return C.CFDateCreate(C.kCFAllocatorDefault, abs)
 }
 // CFDateToTime will convert the given CFDateRef to a time.Time.
 func CFDateToTime(d C.CFDateRef) time.Time {
 	abs := C.CFDateGetAbsoluteTime(d)
 	s, ns := absoluteTimeToUnix(abs)
 	return time.Unix(s, ns)
 }
 // Wrappers around C functions for testing.
 func cfDateToAbsoluteTime(d C.CFDateRef) C.CFAbsoluteTime {
 	return C.CFDateGetAbsoluteTime(d)
 }
 func absoluteTimeToCFDate(abs C.CFAbsoluteTime) C.CFDateRef {
 	return C.CFDateCreate(C.kCFAllocatorDefault, abs)
 }
 func releaseCFDate(d C.CFDateRef) {
 	Release(C.CFTypeRef(d))
 }
@@ -0,0 +1,23 @@
 //go:build darwin && ios
 // +build darwin,ios
 package keychain
 /*
 #cgo LDFLAGS: -framework CoreFoundation -framework Security
 #include <CoreFoundation/CoreFoundation.h>
 #include <Security/Security.h>
 */
 import "C"
 var AccessibleKey = attrKey(C.CFTypeRef(C.kSecAttrAccessible))
 var accessibleTypeRef = map[Accessible]C.CFTypeRef{
 	AccessibleWhenUnlocked:                   C.CFTypeRef(C.kSecAttrAccessibleWhenUnlocked),
 	AccessibleAfterFirstUnlock:               C.CFTypeRef(C.kSecAttrAccessibleAfterFirstUnlock),
 	AccessibleAlways:                         C.CFTypeRef(C.kSecAttrAccessibleAlways),
 	AccessibleWhenPasscodeSetThisDeviceOnly:  C.CFTypeRef(C.kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly),
 	AccessibleWhenUnlockedThisDeviceOnly:     C.CFTypeRef(C.kSecAttrAccessibleWhenUnlockedThisDeviceOnly),
 	AccessibleAfterFirstUnlockThisDeviceOnly: C.CFTypeRef(C.kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly),
 	AccessibleAccessibleAlwaysThisDeviceOnly: C.CFTypeRef(C.kSecAttrAccessibleAlwaysThisDeviceOnly),
 }
@@ -0,0 +1,653 @@
 //go:build darwin
 // +build darwin
 package keychain
 // See https://developer.apple.com/library/ios/documentation/Security/Reference/keychainservices/index.html for the APIs used below.
 // Also see https://developer.apple.com/library/ios/documentation/Security/Conceptual/keychainServConcepts/01introduction/introduction.html .
 /*
 #cgo LDFLAGS: -framework CoreFoundation -framework Security
 #include <CoreFoundation/CoreFoundation.h>
 #include <Security/Security.h>
 */
 import "C"
 import (
 	"fmt"
 	"time"
 )
 // Error defines keychain errors
 type Error int
 var (
 	// ErrorUnimplemented corresponds to errSecUnimplemented result code
 	ErrorUnimplemented = Error(C.errSecUnimplemented)
 	// ErrorParam corresponds to errSecParam result code
 	ErrorParam = Error(C.errSecParam)
 	// ErrorAllocate corresponds to errSecAllocate result code
 	ErrorAllocate = Error(C.errSecAllocate)
 	// ErrorNotAvailable corresponds to errSecNotAvailable result code
 	ErrorNotAvailable = Error(C.errSecNotAvailable)
 	// ErrorAuthFailed corresponds to errSecAuthFailed result code
 	ErrorAuthFailed = Error(C.errSecAuthFailed)
 	// ErrorDuplicateItem corresponds to errSecDuplicateItem result code
 	ErrorDuplicateItem = Error(C.errSecDuplicateItem)
 	// ErrorItemNotFound corresponds to errSecItemNotFound result code
 	ErrorItemNotFound = Error(C.errSecItemNotFound)
 	// ErrorInteractionNotAllowed corresponds to errSecInteractionNotAllowed result code
 	ErrorInteractionNotAllowed = Error(C.errSecInteractionNotAllowed)
 	// ErrorDecode corresponds to errSecDecode result code
 	ErrorDecode = Error(C.errSecDecode)
 	// ErrorNoSuchKeychain corresponds to errSecNoSuchKeychain result code
 	ErrorNoSuchKeychain = Error(C.errSecNoSuchKeychain)
 	// ErrorNoAccessForItem corresponds to errSecNoAccessForItem result code
 	ErrorNoAccessForItem = Error(C.errSecNoAccessForItem)
 	// ErrorReadOnly corresponds to errSecReadOnly result code
 	ErrorReadOnly = Error(C.errSecReadOnly)
 	// ErrorInvalidKeychain corresponds to errSecInvalidKeychain result code
 	ErrorInvalidKeychain = Error(C.errSecInvalidKeychain)
 	// ErrorDuplicateKeyChain corresponds to errSecDuplicateKeychain result code
 	ErrorDuplicateKeyChain = Error(C.errSecDuplicateKeychain)
 	// ErrorWrongVersion corresponds to errSecWrongSecVersion result code
 	ErrorWrongVersion = Error(C.errSecWrongSecVersion)
 	// ErrorReadonlyAttribute corresponds to errSecReadOnlyAttr result code
 	ErrorReadonlyAttribute = Error(C.errSecReadOnlyAttr)
 	// ErrorInvalidSearchRef corresponds to errSecInvalidSearchRef result code
 	ErrorInvalidSearchRef = Error(C.errSecInvalidSearchRef)
 	// ErrorInvalidItemRef corresponds to errSecInvalidItemRef result code
 	ErrorInvalidItemRef = Error(C.errSecInvalidItemRef)
 	// ErrorDataNotAvailable corresponds to errSecDataNotAvailable result code
 	ErrorDataNotAvailable = Error(C.errSecDataNotAvailable)
 	// ErrorDataNotModifiable corresponds to errSecDataNotModifiable result code
 	ErrorDataNotModifiable = Error(C.errSecDataNotModifiable)
 	// ErrorInvalidOwnerEdit corresponds to errSecInvalidOwnerEdit result code
 	ErrorInvalidOwnerEdit = Error(C.errSecInvalidOwnerEdit)
 	// ErrorUserCanceled corresponds to errSecUserCanceled result code
 	ErrorUserCanceled = Error(C.errSecUserCanceled)
 )
 func checkError(errCode C.OSStatus) error {
 	if errCode == C.errSecSuccess {
 		return nil
 	}
 	return Error(errCode)
 }
 func (k Error) Error() (msg string) {
 	// SecCopyErrorMessageString is only available on OSX, so derive manually.
 	// Messages derived from `$ security error $errcode`.
 	switch k {
 	case ErrorUnimplemented:
 		msg = "Function or operation not implemented."
 	case ErrorParam:
 		msg = "One or more parameters passed to the function were not valid."
 	case ErrorAllocate:
 		msg = "Failed to allocate memory."
 	case ErrorNotAvailable:
 		msg = "No keychain is available. You may need to restart your computer."
 	case ErrorAuthFailed:
 		msg = "The user name or passphrase you entered is not correct."
 	case ErrorDuplicateItem:
 		msg = "The specified item already exists in the keychain."
 	case ErrorItemNotFound:
 		msg = "The specified item could not be found in the keychain."
 	case ErrorInteractionNotAllowed:
 		msg = "User interaction is not allowed."
 	case ErrorDecode:
 		msg = "Unable to decode the provided data."
 	case ErrorNoSuchKeychain:
 		msg = "The specified keychain could not be found."
 	case ErrorNoAccessForItem:
 		msg = "The specified item has no access control."
 	case ErrorReadOnly:
 		msg = "Read-only error."
 	case ErrorReadonlyAttribute:
 		msg = "The attribute is read-only."
 	case ErrorInvalidKeychain:
 		msg = "The keychain is not valid."
 	case ErrorDuplicateKeyChain:
 		msg = "A keychain with the same name already exists."
 	case ErrorWrongVersion:
 		msg = "The version is incorrect."
 	case ErrorInvalidItemRef:
 		msg = "The item reference is invalid."
 	case ErrorInvalidSearchRef:
 		msg = "The search reference is invalid."
 	case ErrorDataNotAvailable:
 		msg = "The data is not available."
 	case ErrorDataNotModifiable:
 		msg = "The data is not modifiable."
 	case ErrorInvalidOwnerEdit:
 		msg = "An invalid attempt to change the owner of an item."
 	case ErrorUserCanceled:
 		msg = "User canceled the operation."
 	default:
 		msg = "Keychain Error."
 	}
 	return fmt.Sprintf("%s (%d)", msg, k)
 }
 // SecClass is the items class code
 type SecClass int
 // Keychain Item Classes
 var (
 	/*
 		kSecClassGenericPassword item attributes:
 		 kSecAttrAccess (OS X only)
 		 kSecAttrAccessGroup (iOS; also OS X if kSecAttrSynchronizable specified)
 		 kSecAttrAccessible (iOS; also OS X if kSecAttrSynchronizable specified)
 		 kSecAttrAccount
 		 kSecAttrService
 	*/
 	SecClassGenericPassword  SecClass = 1
 	SecClassInternetPassword SecClass = 2
 )
 // SecClassKey is the key type for SecClass
 var SecClassKey = attrKey(C.CFTypeRef(C.kSecClass))
 var secClassTypeRef = map[SecClass]C.CFTypeRef{
 	SecClassGenericPassword:  C.CFTypeRef(C.kSecClassGenericPassword),
 	SecClassInternetPassword: C.CFTypeRef(C.kSecClassInternetPassword),
 }
 var (
 	// ServiceKey is for kSecAttrService
 	ServiceKey = attrKey(C.CFTypeRef(C.kSecAttrService))
 	// ServerKey is for kSecAttrServer
 	ServerKey = attrKey(C.CFTypeRef(C.kSecAttrServer))
 	// ProtocolKey is for kSecAttrProtocol
 	ProtocolKey = attrKey(C.CFTypeRef(C.kSecAttrProtocol))
 	// AuthenticationTypeKey is for kSecAttrAuthenticationType
 	AuthenticationTypeKey = attrKey(C.CFTypeRef(C.kSecAttrAuthenticationType))
 	// PortKey is for kSecAttrPort
 	PortKey = attrKey(C.CFTypeRef(C.kSecAttrPort))
 	// PathKey is for kSecAttrPath
 	PathKey = attrKey(C.CFTypeRef(C.kSecAttrPath))
 	// LabelKey is for kSecAttrLabel
 	LabelKey = attrKey(C.CFTypeRef(C.kSecAttrLabel))
 	// AccountKey is for kSecAttrAccount
 	AccountKey = attrKey(C.CFTypeRef(C.kSecAttrAccount))
 	// AccessGroupKey is for kSecAttrAccessGroup
 	AccessGroupKey = attrKey(C.CFTypeRef(C.kSecAttrAccessGroup))
 	// DataKey is for kSecValueData
 	DataKey = attrKey(C.CFTypeRef(C.kSecValueData))
 	// DescriptionKey is for kSecAttrDescription
 	DescriptionKey = attrKey(C.CFTypeRef(C.kSecAttrDescription))
 	// CommentKey is for kSecAttrComment
 	CommentKey = attrKey(C.CFTypeRef(C.kSecAttrComment))
 	// CreationDateKey is for kSecAttrCreationDate
 	CreationDateKey = attrKey(C.CFTypeRef(C.kSecAttrCreationDate))
 	// ModificationDateKey is for kSecAttrModificationDate
 	ModificationDateKey = attrKey(C.CFTypeRef(C.kSecAttrModificationDate))
 )
 // Synchronizable is the items synchronizable status
 type Synchronizable int
 const (
 	// SynchronizableDefault is the default setting
 	SynchronizableDefault Synchronizable = 0
 	// SynchronizableAny is for kSecAttrSynchronizableAny
 	SynchronizableAny = 1
 	// SynchronizableYes enables synchronization
 	SynchronizableYes = 2
 	// SynchronizableNo disables synchronization
 	SynchronizableNo = 3
 )
 // SynchronizableKey is the key type for Synchronizable
 var SynchronizableKey = attrKey(C.CFTypeRef(C.kSecAttrSynchronizable))
 var syncTypeRef = map[Synchronizable]C.CFTypeRef{
 	SynchronizableAny: C.CFTypeRef(C.kSecAttrSynchronizableAny),
 	SynchronizableYes: C.CFTypeRef(C.kCFBooleanTrue),
 	SynchronizableNo:  C.CFTypeRef(C.kCFBooleanFalse),
 }
 // Accessible is the items accessibility
 type Accessible int
 const (
 	// AccessibleDefault is the default
 	AccessibleDefault Accessible = 0
 	// AccessibleWhenUnlocked is when unlocked
 	AccessibleWhenUnlocked = 1
 	// AccessibleAfterFirstUnlock is after first unlock
 	AccessibleAfterFirstUnlock = 2
 	// AccessibleAlways is always
 	AccessibleAlways = 3
 	// AccessibleWhenPasscodeSetThisDeviceOnly is when passcode is set
 	AccessibleWhenPasscodeSetThisDeviceOnly = 4
 	// AccessibleWhenUnlockedThisDeviceOnly is when unlocked for this device only
 	AccessibleWhenUnlockedThisDeviceOnly = 5
 	// AccessibleAfterFirstUnlockThisDeviceOnly is after first unlock for this device only
 	AccessibleAfterFirstUnlockThisDeviceOnly = 6
 	// AccessibleAccessibleAlwaysThisDeviceOnly is always for this device only
 	AccessibleAccessibleAlwaysThisDeviceOnly = 7
 )
 // MatchLimit is whether to limit results on query
 type MatchLimit int
 const (
 	// MatchLimitDefault is the default
 	MatchLimitDefault MatchLimit = 0
 	// MatchLimitOne limits to one result
 	MatchLimitOne = 1
 	// MatchLimitAll is no limit
 	MatchLimitAll = 2
 )
 // MatchLimitKey is key type for MatchLimit
 var MatchLimitKey = attrKey(C.CFTypeRef(C.kSecMatchLimit))
 var matchTypeRef = map[MatchLimit]C.CFTypeRef{
 	MatchLimitOne: C.CFTypeRef(C.kSecMatchLimitOne),
 	MatchLimitAll: C.CFTypeRef(C.kSecMatchLimitAll),
 }
 // ReturnAttributesKey is key type for kSecReturnAttributes
 var ReturnAttributesKey = attrKey(C.CFTypeRef(C.kSecReturnAttributes))
 // ReturnDataKey is key type for kSecReturnData
 var ReturnDataKey = attrKey(C.CFTypeRef(C.kSecReturnData))
 // ReturnRefKey is key type for kSecReturnRef
 var ReturnRefKey = attrKey(C.CFTypeRef(C.kSecReturnRef))
 // Item for adding, querying or deleting.
 type Item struct {
 	// Values can be string, []byte, Convertable or CFTypeRef (constant).
 	attr map[string]interface{}
 }
 // SetSecClass sets the security class
 func (k *Item) SetSecClass(sc SecClass) {
 	k.attr[SecClassKey] = secClassTypeRef[sc]
 }
 // SetInt32 sets an int32 attribute for a string key
 func (k *Item) SetInt32(key string, v int32) {
 	if v != 0 {
 		k.attr[key] = v
 	} else {
 		delete(k.attr, key)
 	}
 }
 // SetString sets a string attibute for a string key
 func (k *Item) SetString(key string, s string) {
 	if s != "" {
 		k.attr[key] = s
 	} else {
 		delete(k.attr, key)
 	}
 }
 // SetService sets the service attribute (for generic application items)
 func (k *Item) SetService(s string) {
 	k.SetString(ServiceKey, s)
 }
 // SetServer sets the server attribute (for internet password items)
 func (k *Item) SetServer(s string) {
 	k.SetString(ServerKey, s)
 }
 // SetProtocol sets the protocol attribute (for internet password items)
 // Example values are: "htps", "http", "smb "
 func (k *Item) SetProtocol(s string) {
 	k.SetString(ProtocolKey, s)
 }
 // SetAuthenticationType sets the authentication type attribute (for internet password items)
 func (k *Item) SetAuthenticationType(s string) {
 	k.SetString(AuthenticationTypeKey, s)
 }
 // SetPort sets the port attribute (for internet password items)
 func (k *Item) SetPort(v int32) {
 	k.SetInt32(PortKey, v)
 }
 // SetPath sets the path attribute (for internet password items)
 func (k *Item) SetPath(s string) {
 	k.SetString(PathKey, s)
 }
 // SetAccount sets the account attribute
 func (k *Item) SetAccount(a string) {
 	k.SetString(AccountKey, a)
 }
 // SetLabel sets the label attribute
 func (k *Item) SetLabel(l string) {
 	k.SetString(LabelKey, l)
 }
 // SetDescription sets the description attribute
 func (k *Item) SetDescription(s string) {
 	k.SetString(DescriptionKey, s)
 }
 // SetComment sets the comment attribute
 func (k *Item) SetComment(s string) {
 	k.SetString(CommentKey, s)
 }
 // SetData sets the data attribute
 func (k *Item) SetData(b []byte) {
 	if b != nil {
 		k.attr[DataKey] = b
 	} else {
 		delete(k.attr, DataKey)
 	}
 }
 // SetAccessGroup sets the access group attribute
 func (k *Item) SetAccessGroup(ag string) {
 	k.SetString(AccessGroupKey, ag)
 }
 // SetSynchronizable sets the synchronizable attribute
 func (k *Item) SetSynchronizable(sync Synchronizable) {
 	if sync != SynchronizableDefault {
 		k.attr[SynchronizableKey] = syncTypeRef[sync]
 	} else {
 		delete(k.attr, SynchronizableKey)
 	}
 }
 // SetAccessible sets the accessible attribute
 func (k *Item) SetAccessible(accessible Accessible) {
 	if accessible != AccessibleDefault {
 		k.attr[AccessibleKey] = accessibleTypeRef[accessible]
 	} else {
 		delete(k.attr, AccessibleKey)
 	}
 }
 // SetMatchLimit sets the match limit
 func (k *Item) SetMatchLimit(matchLimit MatchLimit) {
 	if matchLimit != MatchLimitDefault {
 		k.attr[MatchLimitKey] = matchTypeRef[matchLimit]
 	} else {
 		delete(k.attr, MatchLimitKey)
 	}
 }
 // SetReturnAttributes sets the return value type on query
 func (k *Item) SetReturnAttributes(b bool) {
 	k.attr[ReturnAttributesKey] = b
 }
 // SetReturnData enables returning data on query
 func (k *Item) SetReturnData(b bool) {
 	k.attr[ReturnDataKey] = b
 }
 // SetReturnRef enables returning references on query
 func (k *Item) SetReturnRef(b bool) {
 	k.attr[ReturnRefKey] = b
 }
 // NewItem is a new empty keychain item
 func NewItem() Item {
 	return Item{make(map[string]interface{})}
 }
 // NewGenericPassword creates a generic password item with the default keychain. This is a convenience method.
 func NewGenericPassword(service string, account string, label string, data []byte, accessGroup string) Item {
 	item := NewItem()
 	item.SetSecClass(SecClassGenericPassword)
 	item.SetService(service)
 	item.SetAccount(account)
 	item.SetLabel(label)
 	item.SetData(data)
 	item.SetAccessGroup(accessGroup)
 	return item
 }
 // AddItem adds a Item to a Keychain
 func AddItem(item Item) error {
 	cfDict, err := ConvertMapToCFDictionary(item.attr)
 	if err != nil {
 		return err
 	}
 	defer Release(C.CFTypeRef(cfDict))
 	errCode := C.SecItemAdd(cfDict, nil)
 	err = checkError(errCode)
 	return err
 }
 // UpdateItem updates the queryItem with the parameters from updateItem
 func UpdateItem(queryItem Item, updateItem Item) error {
 	cfDict, err := ConvertMapToCFDictionary(queryItem.attr)
 	if err != nil {
 		return err
 	}
 	defer Release(C.CFTypeRef(cfDict))
 	cfDictUpdate, err := ConvertMapToCFDictionary(updateItem.attr)
 	if err != nil {
 		return err
 	}
 	defer Release(C.CFTypeRef(cfDictUpdate))
 	errCode := C.SecItemUpdate(cfDict, cfDictUpdate)
 	err = checkError(errCode)
 	return err
 }
 // QueryResult stores all possible results from queries.
 // Not all fields are applicable all the time. Results depend on query.
 type QueryResult struct {
 	// For generic application items
 	Service string
 	// For internet password items
 	Server             string
 	Protocol           string
 	AuthenticationType string
 	Port               int32
 	Path               string
 	Account          string
 	AccessGroup      string
 	Label            string
 	Description      string
 	Comment          string
 	Data             []byte
 	CreationDate     time.Time
 	ModificationDate time.Time
 }
 // QueryItemRef returns query result as CFTypeRef. You must release it when you are done.
 func QueryItemRef(item Item) (C.CFTypeRef, error) {
 	cfDict, err := ConvertMapToCFDictionary(item.attr)
 	if err != nil {
 		return 0, err
 	}
 	defer Release(C.CFTypeRef(cfDict))
 	var resultsRef C.CFTypeRef
 	errCode := C.SecItemCopyMatching(cfDict, &resultsRef) //nolint
 	if Error(errCode) == ErrorItemNotFound {
 		return 0, nil
 	}
 	err = checkError(errCode)
 	if err != nil {
 		return 0, err
 	}
 	return resultsRef, nil
 }
 // QueryItem returns a list of query results.
 func QueryItem(item Item) ([]QueryResult, error) {
 	resultsRef, err := QueryItemRef(item)
 	if err != nil {
 		return nil, err
 	}
 	if resultsRef == 0 {
 		return nil, nil
 	}
 	defer Release(resultsRef)
 	results := make([]QueryResult, 0, 1)
 	typeID := C.CFGetTypeID(resultsRef)
 	if typeID == C.CFArrayGetTypeID() {
 		arr := CFArrayToArray(C.CFArrayRef(resultsRef))
 		for _, ref := range arr {
 			elementTypeID := C.CFGetTypeID(ref)
 			if elementTypeID == C.CFDictionaryGetTypeID() {
 				item, err := convertResult(C.CFDictionaryRef(ref))
 				if err != nil {
 					return nil, err
 				}
 				results = append(results, *item)
 			} else {
 				return nil, fmt.Errorf("invalid result type (If you SetReturnRef(true) you should use QueryItemRef directly)")
 			}
 		}
 	} else if typeID == C.CFDictionaryGetTypeID() {
 		item, err := convertResult(C.CFDictionaryRef(resultsRef))
 		if err != nil {
 			return nil, err
 		}
 		results = append(results, *item)
 	} else if typeID == C.CFDataGetTypeID() {
 		b, err := CFDataToBytes(C.CFDataRef(resultsRef))
 		if err != nil {
 			return nil, err
 		}
 		item := QueryResult{Data: b}
 		results = append(results, item)
 	} else {
 		return nil, fmt.Errorf("Invalid result type: %s", CFTypeDescription(resultsRef))
 	}
 	return results, nil
 }
 func attrKey(ref C.CFTypeRef) string {
 	return CFStringToString(C.CFStringRef(ref))
 }
 func convertResult(d C.CFDictionaryRef) (*QueryResult, error) {
 	m := CFDictionaryToMap(d)
 	result := QueryResult{}
 	for k, v := range m {
 		switch attrKey(k) {
 		case ServiceKey:
 			result.Service = CFStringToString(C.CFStringRef(v))
 		case ServerKey:
 			result.Server = CFStringToString(C.CFStringRef(v))
 		case ProtocolKey:
 			result.Protocol = CFStringToString(C.CFStringRef(v))
 		case AuthenticationTypeKey:
 			result.AuthenticationType = CFStringToString(C.CFStringRef(v))
 		case PortKey:
 			val := CFNumberToInterface(C.CFNumberRef(v))
 			result.Port = val.(int32)
 		case PathKey:
 			result.Path = CFStringToString(C.CFStringRef(v))
 		case AccountKey:
 			result.Account = CFStringToString(C.CFStringRef(v))
 		case AccessGroupKey:
 			result.AccessGroup = CFStringToString(C.CFStringRef(v))
 		case LabelKey:
 			result.Label = CFStringToString(C.CFStringRef(v))
 		case DescriptionKey:
 			result.Description = CFStringToString(C.CFStringRef(v))
 		case CommentKey:
 			result.Comment = CFStringToString(C.CFStringRef(v))
 		case DataKey:
 			b, err := CFDataToBytes(C.CFDataRef(v))
 			if err != nil {
 				return nil, err
 			}
 			result.Data = b
 		case CreationDateKey:
 			result.CreationDate = CFDateToTime(C.CFDateRef(v))
 		case ModificationDateKey:
 			result.ModificationDate = CFDateToTime(C.CFDateRef(v))
 			// default:
 			// fmt.Printf("Unhandled key in conversion: %v = %v\n", cfTypeValue(k), cfTypeValue(v))
 		}
 	}
 	return &result, nil
 }
 // DeleteGenericPasswordItem removes a generic password item.
 func DeleteGenericPasswordItem(service string, account string) error {
 	item := NewItem()
 	item.SetSecClass(SecClassGenericPassword)
 	item.SetService(service)
 	item.SetAccount(account)
 	return DeleteItem(item)
 }
 // DeleteItem removes a Item
 func DeleteItem(item Item) error {
 	cfDict, err := ConvertMapToCFDictionary(item.attr)
 	if err != nil {
 		return err
 	}
 	defer Release(C.CFTypeRef(cfDict))
 	errCode := C.SecItemDelete(cfDict)
 	return checkError(errCode)
 }
 // GetAccountsForService is deprecated
 func GetAccountsForService(service string) ([]string, error) {
 	return GetGenericPasswordAccounts(service)
 }
 // GetGenericPasswordAccounts returns generic password accounts for service. This is a convenience method.
 func GetGenericPasswordAccounts(service string) ([]string, error) {
 	query := NewItem()
 	query.SetSecClass(SecClassGenericPassword)
 	query.SetService(service)
 	query.SetMatchLimit(MatchLimitAll)
 	query.SetReturnAttributes(true)
 	results, err := QueryItem(query)
 	if err != nil {
 		return nil, err
 	}
 	accounts := make([]string, 0, len(results))
 	for _, r := range results {
 		accounts = append(accounts, r.Account)
 	}
 	return accounts, nil
 }
 // GetGenericPassword returns password data for service and account. This is a convenience method.
 // If item is not found returns nil, nil.
 func GetGenericPassword(service string, account string, label string, accessGroup string) ([]byte, error) {
 	query := NewItem()
 	query.SetSecClass(SecClassGenericPassword)
 	query.SetService(service)
 	query.SetAccount(account)
 	query.SetLabel(label)
 	query.SetAccessGroup(accessGroup)
 	query.SetMatchLimit(MatchLimitOne)
 	query.SetReturnData(true)
 	results, err := QueryItem(query)
 	if err != nil {
 		return nil, err
 	}
 	if len(results) > 1 {
 		return nil, fmt.Errorf("Too many results")
 	}
 	if len(results) == 1 {
 		return results[0].Data, nil
 	}
 	return nil, nil
 }
@@ -0,0 +1,25 @@
 //go:build darwin && !ios
 // +build darwin,!ios
 package keychain
 /*
 #cgo LDFLAGS: -framework CoreFoundation -framework Security
 #include <CoreFoundation/CoreFoundation.h>
 #include <Security/Security.h>
 */
 import "C"
 // AccessibleKey is key for kSecAttrAccessible
 var AccessibleKey = attrKey(C.CFTypeRef(C.kSecAttrAccessible))
 var accessibleTypeRef = map[Accessible]C.CFTypeRef{
 	AccessibleWhenUnlocked:                   C.CFTypeRef(C.kSecAttrAccessibleWhenUnlocked),
 	AccessibleAfterFirstUnlock:               C.CFTypeRef(C.kSecAttrAccessibleAfterFirstUnlock),
 	AccessibleAlways:                         C.CFTypeRef(C.kSecAttrAccessibleAlways),
 	AccessibleWhenUnlockedThisDeviceOnly:     C.CFTypeRef(C.kSecAttrAccessibleWhenUnlockedThisDeviceOnly),
 	AccessibleAfterFirstUnlockThisDeviceOnly: C.CFTypeRef(C.kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly),
 	AccessibleAccessibleAlwaysThisDeviceOnly: C.CFTypeRef(C.kSecAttrAccessibleAlwaysThisDeviceOnly),
 	// Only available in 10.10
 	//AccessibleWhenPasscodeSetThisDeviceOnly:  C.CFTypeRef(C.kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly),
 }
@@ -0,0 +1,31 @@
 package keychain
 import (
 	"crypto/rand"
 	"encoding/base32"
 	"strings"
 )
 var randRead = rand.Read
 // RandomID returns random ID (base32) string with prefix, using 256 bits as
 // recommended by tptacek: https://gist.github.com/tqbf/be58d2d39690c3b366ad
 func RandomID(prefix string) (string, error) {
 	buf, err := RandBytes(32)
 	if err != nil {
 		return "", err
 	}
 	str := base32.StdEncoding.EncodeToString(buf)
 	str = strings.ReplaceAll(str, "=", "")
 	str = prefix + str
 	return str, nil
 }
 // RandBytes returns random bytes of length
 func RandBytes(length int) ([]byte, error) {
 	buf := make([]byte, length)
 	if _, err := randRead(buf); err != nil {
 		return nil, err
 	}
 	return buf, nil
 }
@@ -0,0 +1,27 @@
 Copyright (c) 2009 The Go Authors. All rights reserved.
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
 met:
   * Redistributions of source code must retain the above copyright
 notice, this list of conditions and the following disclaimer.
   * Redistributions in binary form must reproduce the above
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
   * Neither the name of Google Inc. nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@@ -0,0 +1,22 @@
 Additional IP Rights Grant (Patents)
 "This implementation" means the copyrightable works distributed by
 Google as part of the Go project.
 Google hereby grants to You a perpetual, worldwide, non-exclusive,
 no-charge, royalty-free, irrevocable (except as stated in this section)
 patent license to make, have made, use, offer to sell, sell, import,
 transfer and otherwise run, modify and propagate the contents of this
 implementation of Go, where such license applies only to those patent
 claims, both currently owned or controlled by Google and acquired in
 the future, licensable by Google that are necessarily infringed by this
 implementation of Go.  This grant does not include claims that would be
 infringed only as a consequence of further modification of this
 implementation.  If you or your agent or exclusive licensee institute or
 order or agree to the institution of patent litigation against any
 entity (including a cross-claim or counterclaim in a lawsuit) alleging
 that this implementation of Go or any code incorporated within this
 implementation of Go constitutes direct or contributory patent
 infringement, or inducement of patent infringement, then any patent
 rights granted to you under this License for this implementation of Go
 shall terminate as of the date such litigation is filed.
@@ -0,0 +1,12 @@
 // Copyright 2018 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build windows
 package windows
 import "syscall"
 type Errno = syscall.Errno
 type SysProcAttr = syscall.SysProcAttr
@@ -0,0 +1,416 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package windows
 import (
 	"sync"
 	"sync/atomic"
 	"syscall"
 	"unsafe"
 )
 // We need to use LoadLibrary and GetProcAddress from the Go runtime, because
 // the these symbols are loaded by the system linker and are required to
 // dynamically load additional symbols. Note that in the Go runtime, these
 // return syscall.Handle and syscall.Errno, but these are the same, in fact,
 // as windows.Handle and windows.Errno, and we intend to keep these the same.
 //go:linkname syscall_loadlibrary syscall.loadlibrary
 func syscall_loadlibrary(filename *uint16) (handle Handle, err Errno)
 //go:linkname syscall_getprocaddress syscall.getprocaddress
 func syscall_getprocaddress(handle Handle, procname *uint8) (proc uintptr, err Errno)
 // DLLError describes reasons for DLL load failures.
 type DLLError struct {
 	Err     error
 	ObjName string
 	Msg     string
 }
 func (e *DLLError) Error() string { return e.Msg }
 func (e *DLLError) Unwrap() error { return e.Err }
 // A DLL implements access to a single DLL.
 type DLL struct {
 	Name   string
 	Handle Handle
 }
 // LoadDLL loads DLL file into memory.
 //
 // Warning: using LoadDLL without an absolute path name is subject to
 // DLL preloading attacks. To safely load a system DLL, use LazyDLL
 // with System set to true, or use LoadLibraryEx directly.
 func LoadDLL(name string) (dll *DLL, err error) {
 	namep, err := UTF16PtrFromString(name)
 	if err != nil {
 		return nil, err
 	}
 	h, e := syscall_loadlibrary(namep)
 	if e != 0 {
 		return nil, &DLLError{
 			Err:     e,
 			ObjName: name,
 			Msg:     "Failed to load " + name + ": " + e.Error(),
 		}
 	}
 	d := &DLL{
 		Name:   name,
 		Handle: h,
 	}
 	return d, nil
 }
 // MustLoadDLL is like LoadDLL but panics if load operation failes.
 func MustLoadDLL(name string) *DLL {
 	d, e := LoadDLL(name)
 	if e != nil {
 		panic(e)
 	}
 	return d
 }
 // FindProc searches DLL d for procedure named name and returns *Proc
 // if found. It returns an error if search fails.
 func (d *DLL) FindProc(name string) (proc *Proc, err error) {
 	namep, err := BytePtrFromString(name)
 	if err != nil {
 		return nil, err
 	}
 	a, e := syscall_getprocaddress(d.Handle, namep)
 	if e != 0 {
 		return nil, &DLLError{
 			Err:     e,
 			ObjName: name,
 			Msg:     "Failed to find " + name + " procedure in " + d.Name + ": " + e.Error(),
 		}
 	}
 	p := &Proc{
 		Dll:  d,
 		Name: name,
 		addr: a,
 	}
 	return p, nil
 }
 // MustFindProc is like FindProc but panics if search fails.
 func (d *DLL) MustFindProc(name string) *Proc {
 	p, e := d.FindProc(name)
 	if e != nil {
 		panic(e)
 	}
 	return p
 }
 // FindProcByOrdinal searches DLL d for procedure by ordinal and returns *Proc
 // if found. It returns an error if search fails.
 func (d *DLL) FindProcByOrdinal(ordinal uintptr) (proc *Proc, err error) {
 	a, e := GetProcAddressByOrdinal(d.Handle, ordinal)
 	name := "#" + itoa(int(ordinal))
 	if e != nil {
 		return nil, &DLLError{
 			Err:     e,
 			ObjName: name,
 			Msg:     "Failed to find " + name + " procedure in " + d.Name + ": " + e.Error(),
 		}
 	}
 	p := &Proc{
 		Dll:  d,
 		Name: name,
 		addr: a,
 	}
 	return p, nil
 }
 // MustFindProcByOrdinal is like FindProcByOrdinal but panics if search fails.
 func (d *DLL) MustFindProcByOrdinal(ordinal uintptr) *Proc {
 	p, e := d.FindProcByOrdinal(ordinal)
 	if e != nil {
 		panic(e)
 	}
 	return p
 }
 // Release unloads DLL d from memory.
 func (d *DLL) Release() (err error) {
 	return FreeLibrary(d.Handle)
 }
 // A Proc implements access to a procedure inside a DLL.
 type Proc struct {
 	Dll  *DLL
 	Name string
 	addr uintptr
 }
 // Addr returns the address of the procedure represented by p.
 // The return value can be passed to Syscall to run the procedure.
 func (p *Proc) Addr() uintptr {
 	return p.addr
 }
 //go:uintptrescapes
 // Call executes procedure p with arguments a. It will panic, if more than 15 arguments
 // are supplied.
 //
 // The returned error is always non-nil, constructed from the result of GetLastError.
 // Callers must inspect the primary return value to decide whether an error occurred
 // (according to the semantics of the specific function being called) before consulting
 // the error. The error will be guaranteed to contain windows.Errno.
 func (p *Proc) Call(a ...uintptr) (r1, r2 uintptr, lastErr error) {
 	switch len(a) {
 	case 0:
 		return syscall.Syscall(p.Addr(), uintptr(len(a)), 0, 0, 0)
 	case 1:
 		return syscall.Syscall(p.Addr(), uintptr(len(a)), a[0], 0, 0)
 	case 2:
 		return syscall.Syscall(p.Addr(), uintptr(len(a)), a[0], a[1], 0)
 	case 3:
 		return syscall.Syscall(p.Addr(), uintptr(len(a)), a[0], a[1], a[2])
 	case 4:
 		return syscall.Syscall6(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], 0, 0)
 	case 5:
 		return syscall.Syscall6(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], a[4], 0)
 	case 6:
 		return syscall.Syscall6(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], a[4], a[5])
 	case 7:
 		return syscall.Syscall9(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], a[4], a[5], a[6], 0, 0)
 	case 8:
 		return syscall.Syscall9(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], a[4], a[5], a[6], a[7], 0)
 	case 9:
 		return syscall.Syscall9(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], a[4], a[5], a[6], a[7], a[8])
 	case 10:
 		return syscall.Syscall12(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], a[4], a[5], a[6], a[7], a[8], a[9], 0, 0)
 	case 11:
 		return syscall.Syscall12(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], a[4], a[5], a[6], a[7], a[8], a[9], a[10], 0)
 	case 12:
 		return syscall.Syscall12(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], a[4], a[5], a[6], a[7], a[8], a[9], a[10], a[11])
 	case 13:
 		return syscall.Syscall15(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], a[4], a[5], a[6], a[7], a[8], a[9], a[10], a[11], a[12], 0, 0)
 	case 14:
 		return syscall.Syscall15(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], a[4], a[5], a[6], a[7], a[8], a[9], a[10], a[11], a[12], a[13], 0)
 	case 15:
 		return syscall.Syscall15(p.Addr(), uintptr(len(a)), a[0], a[1], a[2], a[3], a[4], a[5], a[6], a[7], a[8], a[9], a[10], a[11], a[12], a[13], a[14])
 	default:
 		panic("Call " + p.Name + " with too many arguments " + itoa(len(a)) + ".")
 	}
 }
 // A LazyDLL implements access to a single DLL.
 // It will delay the load of the DLL until the first
 // call to its Handle method or to one of its
 // LazyProc's Addr method.
 type LazyDLL struct {
 	Name string
 	// System determines whether the DLL must be loaded from the
 	// Windows System directory, bypassing the normal DLL search
 	// path.
 	System bool
 	mu  sync.Mutex
 	dll *DLL // non nil once DLL is loaded
 }
 // Load loads DLL file d.Name into memory. It returns an error if fails.
 // Load will not try to load DLL, if it is already loaded into memory.
 func (d *LazyDLL) Load() error {
 	// Non-racy version of:
 	// if d.dll != nil {
 	if atomic.LoadPointer((*unsafe.Pointer)(unsafe.Pointer(&d.dll))) != nil {
 		return nil
 	}
 	d.mu.Lock()
 	defer d.mu.Unlock()
 	if d.dll != nil {
 		return nil
 	}
 	// kernel32.dll is special, since it's where LoadLibraryEx comes from.
 	// The kernel already special-cases its name, so it's always
 	// loaded from system32.
 	var dll *DLL
 	var err error
 	if d.Name == "kernel32.dll" {
 		dll, err = LoadDLL(d.Name)
 	} else {
 		dll, err = loadLibraryEx(d.Name, d.System)
 	}
 	if err != nil {
 		return err
 	}
 	// Non-racy version of:
 	// d.dll = dll
 	atomic.StorePointer((*unsafe.Pointer)(unsafe.Pointer(&d.dll)), unsafe.Pointer(dll))
 	return nil
 }
 // mustLoad is like Load but panics if search fails.
 func (d *LazyDLL) mustLoad() {
 	e := d.Load()
 	if e != nil {
 		panic(e)
 	}
 }
 // Handle returns d's module handle.
 func (d *LazyDLL) Handle() uintptr {
 	d.mustLoad()
 	return uintptr(d.dll.Handle)
 }
 // NewProc returns a LazyProc for accessing the named procedure in the DLL d.
 func (d *LazyDLL) NewProc(name string) *LazyProc {
 	return &LazyProc{l: d, Name: name}
 }
 // NewLazyDLL creates new LazyDLL associated with DLL file.
 func NewLazyDLL(name string) *LazyDLL {
 	return &LazyDLL{Name: name}
 }
 // NewLazySystemDLL is like NewLazyDLL, but will only
 // search Windows System directory for the DLL if name is
 // a base name (like "advapi32.dll").
 func NewLazySystemDLL(name string) *LazyDLL {
 	return &LazyDLL{Name: name, System: true}
 }
 // A LazyProc implements access to a procedure inside a LazyDLL.
 // It delays the lookup until the Addr method is called.
 type LazyProc struct {
 	Name string
 	mu   sync.Mutex
 	l    *LazyDLL
 	proc *Proc
 }
 // Find searches DLL for procedure named p.Name. It returns
 // an error if search fails. Find will not search procedure,
 // if it is already found and loaded into memory.
 func (p *LazyProc) Find() error {
 	// Non-racy version of:
 	// if p.proc == nil {
 	if atomic.LoadPointer((*unsafe.Pointer)(unsafe.Pointer(&p.proc))) == nil {
 		p.mu.Lock()
 		defer p.mu.Unlock()
 		if p.proc == nil {
 			e := p.l.Load()
 			if e != nil {
 				return e
 			}
 			proc, e := p.l.dll.FindProc(p.Name)
 			if e != nil {
 				return e
 			}
 			// Non-racy version of:
 			// p.proc = proc
 			atomic.StorePointer((*unsafe.Pointer)(unsafe.Pointer(&p.proc)), unsafe.Pointer(proc))
 		}
 	}
 	return nil
 }
 // mustFind is like Find but panics if search fails.
 func (p *LazyProc) mustFind() {
 	e := p.Find()
 	if e != nil {
 		panic(e)
 	}
 }
 // Addr returns the address of the procedure represented by p.
 // The return value can be passed to Syscall to run the procedure.
 // It will panic if the procedure cannot be found.
 func (p *LazyProc) Addr() uintptr {
 	p.mustFind()
 	return p.proc.Addr()
 }
 //go:uintptrescapes
 // Call executes procedure p with arguments a. It will panic, if more than 15 arguments
 // are supplied. It will also panic if the procedure cannot be found.
 //
 // The returned error is always non-nil, constructed from the result of GetLastError.
 // Callers must inspect the primary return value to decide whether an error occurred
 // (according to the semantics of the specific function being called) before consulting
 // the error. The error will be guaranteed to contain windows.Errno.
 func (p *LazyProc) Call(a ...uintptr) (r1, r2 uintptr, lastErr error) {
 	p.mustFind()
 	return p.proc.Call(a...)
 }
 var canDoSearchSystem32Once struct {
 	sync.Once
 	v bool
 }
 func initCanDoSearchSystem32() {
 	// https://msdn.microsoft.com/en-us/library/ms684179(v=vs.85).aspx says:
 	// "Windows 7, Windows Server 2008 R2, Windows Vista, and Windows
 	// Server 2008: The LOAD_LIBRARY_SEARCH_* flags are available on
 	// systems that have KB2533623 installed. To determine whether the
 	// flags are available, use GetProcAddress to get the address of the
 	// AddDllDirectory, RemoveDllDirectory, or SetDefaultDllDirectories
 	// function. If GetProcAddress succeeds, the LOAD_LIBRARY_SEARCH_*
 	// flags can be used with LoadLibraryEx."
 	canDoSearchSystem32Once.v = (modkernel32.NewProc("AddDllDirectory").Find() == nil)
 }
 func canDoSearchSystem32() bool {
 	canDoSearchSystem32Once.Do(initCanDoSearchSystem32)
 	return canDoSearchSystem32Once.v
 }
 func isBaseName(name string) bool {
 	for _, c := range name {
 		if c == ':' || c == '/' || c == '\\' {
 			return false
 		}
 	}
 	return true
 }
 // loadLibraryEx wraps the Windows LoadLibraryEx function.
 //
 // See https://msdn.microsoft.com/en-us/library/windows/desktop/ms684179(v=vs.85).aspx
 //
 // If name is not an absolute path, LoadLibraryEx searches for the DLL
 // in a variety of automatic locations unless constrained by flags.
 // See: https://msdn.microsoft.com/en-us/library/ff919712%28VS.85%29.aspx
 func loadLibraryEx(name string, system bool) (*DLL, error) {
 	loadDLL := name
 	var flags uintptr
 	if system {
 		if canDoSearchSystem32() {
 			flags = LOAD_LIBRARY_SEARCH_SYSTEM32
 		} else if isBaseName(name) {
 			// WindowsXP or unpatched Windows machine
 			// trying to load "foo.dll" out of the system
 			// folder, but LoadLibraryEx doesn't support
 			// that yet on their system, so emulate it.
 			systemdir, err := GetSystemDirectory()
 			if err != nil {
 				return nil, err
 			}
 			loadDLL = systemdir + "\\" + name
 		}
 	}
 	h, err := LoadLibraryEx(loadDLL, 0, flags)
 	if err != nil {
 		return nil, err
 	}
 	return &DLL{Name: name, Handle: h}, nil
 }
 type errString string
 func (s errString) Error() string { return string(s) }
@@ -0,0 +1,57 @@
 // Copyright 2010 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Windows environment variables.
 package windows
 import (
 	"syscall"
 	"unsafe"
 )
 func Getenv(key string) (value string, found bool) {
 	return syscall.Getenv(key)
 }
 func Setenv(key, value string) error {
 	return syscall.Setenv(key, value)
 }
 func Clearenv() {
 	syscall.Clearenv()
 }
 func Environ() []string {
 	return syscall.Environ()
 }
 // Returns a default environment associated with the token, rather than the current
 // process. If inheritExisting is true, then this environment also inherits the
 // environment of the current process.
 func (token Token) Environ(inheritExisting bool) (env []string, err error) {
 	var block *uint16
 	err = CreateEnvironmentBlock(&block, token, inheritExisting)
 	if err != nil {
 		return nil, err
 	}
 	defer DestroyEnvironmentBlock(block)
 	size := unsafe.Sizeof(*block)
 	for *block != 0 {
 		// find NUL terminator
 		end := unsafe.Pointer(block)
 		for *(*uint16)(end) != 0 {
 			end = unsafe.Add(end, size)
 		}
 		entry := unsafe.Slice(block, (uintptr(end)-uintptr(unsafe.Pointer(block)))/size)
 		env = append(env, UTF16ToString(entry))
 		block = (*uint16)(unsafe.Add(end, size))
 	}
 	return env, nil
 }
 func Unsetenv(key string) error {
 	return syscall.Unsetenv(key)
 }
@@ -0,0 +1,20 @@
 // Copyright 2012 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build windows
 package windows
 const (
 	EVENTLOG_SUCCESS          = 0
 	EVENTLOG_ERROR_TYPE       = 1
 	EVENTLOG_WARNING_TYPE     = 2
 	EVENTLOG_INFORMATION_TYPE = 4
 	EVENTLOG_AUDIT_SUCCESS    = 8
 	EVENTLOG_AUDIT_FAILURE    = 16
 )
 //sys	RegisterEventSource(uncServerName *uint16, sourceName *uint16) (handle Handle, err error) [failretval==0] = advapi32.RegisterEventSourceW
 //sys	DeregisterEventSource(handle Handle) (err error) = advapi32.DeregisterEventSource
 //sys	ReportEvent(log Handle, etype uint16, category uint16, eventId uint32, usrSId uintptr, numStrings uint16, dataSize uint32, strings **uint16, rawData *byte) (err error) = advapi32.ReportEventW
@@ -0,0 +1,248 @@
 // Copyright 2009 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Fork, exec, wait, etc.
 package windows
 import (
 	errorspkg "errors"
 	"unsafe"
 )
 // EscapeArg rewrites command line argument s as prescribed
 // in http://msdn.microsoft.com/en-us/library/ms880421.
 // This function returns "" (2 double quotes) if s is empty.
 // Alternatively, these transformations are done:
 //   - every back slash (\) is doubled, but only if immediately
 //     followed by double quote (");
 //   - every double quote (") is escaped by back slash (\);
 //   - finally, s is wrapped with double quotes (arg -> "arg"),
 //     but only if there is space or tab inside s.
 func EscapeArg(s string) string {
 	if len(s) == 0 {
 		return `""`
 	}
 	n := len(s)
 	hasSpace := false
 	for i := 0; i < len(s); i++ {
 		switch s[i] {
 		case '"', '\\':
 			n++
 		case ' ', '\t':
 			hasSpace = true
 		}
 	}
 	if hasSpace {
 		n += 2 // Reserve space for quotes.
 	}
 	if n == len(s) {
 		return s
 	}
 	qs := make([]byte, n)
 	j := 0
 	if hasSpace {
 		qs[j] = '"'
 		j++
 	}
 	slashes := 0
 	for i := 0; i < len(s); i++ {
 		switch s[i] {
 		default:
 			slashes = 0
 			qs[j] = s[i]
 		case '\\':
 			slashes++
 			qs[j] = s[i]
 		case '"':
 			for ; slashes > 0; slashes-- {
 				qs[j] = '\\'
 				j++
 			}
 			qs[j] = '\\'
 			j++
 			qs[j] = s[i]
 		}
 		j++
 	}
 	if hasSpace {
 		for ; slashes > 0; slashes-- {
 			qs[j] = '\\'
 			j++
 		}
 		qs[j] = '"'
 		j++
 	}
 	return string(qs[:j])
 }
 // ComposeCommandLine escapes and joins the given arguments suitable for use as a Windows command line,
 // in CreateProcess's CommandLine argument, CreateService/ChangeServiceConfig's BinaryPathName argument,
 // or any program that uses CommandLineToArgv.
 func ComposeCommandLine(args []string) string {
 	if len(args) == 0 {
 		return ""
 	}
 	// Per https://learn.microsoft.com/en-us/windows/win32/api/shellapi/nf-shellapi-commandlinetoargvw:
 	// “This function accepts command lines that contain a program name; the
 	// program name can be enclosed in quotation marks or not.”
 	//
 	// Unfortunately, it provides no means of escaping interior quotation marks
 	// within that program name, and we have no way to report them here.
 	prog := args[0]
 	mustQuote := len(prog) == 0
 	for i := 0; i < len(prog); i++ {
 		c := prog[i]
 		if c <= ' ' || (c == '"' && i == 0) {
 			// Force quotes for not only the ASCII space and tab as described in the
 			// MSDN article, but also ASCII control characters.
 			// The documentation for CommandLineToArgvW doesn't say what happens when
 			// the first argument is not a valid program name, but it empirically
 			// seems to drop unquoted control characters.
 			mustQuote = true
 			break
 		}
 	}
 	var commandLine []byte
 	if mustQuote {
 		commandLine = make([]byte, 0, len(prog)+2)
 		commandLine = append(commandLine, '"')
 		for i := 0; i < len(prog); i++ {
 			c := prog[i]
 			if c == '"' {
 				// This quote would interfere with our surrounding quotes.
 				// We have no way to report an error, so just strip out
 				// the offending character instead.
 				continue
 			}
 			commandLine = append(commandLine, c)
 		}
 		commandLine = append(commandLine, '"')
 	} else {
 		if len(args) == 1 {
 			// args[0] is a valid command line representing itself.
 			// No need to allocate a new slice or string for it.
 			return prog
 		}
 		commandLine = []byte(prog)
 	}
 	for _, arg := range args[1:] {
 		commandLine = append(commandLine, ' ')
 		// TODO(bcmills): since we're already appending to a slice, it would be nice
 		// to avoid the intermediate allocations of EscapeArg.
 		// Perhaps we can factor out an appendEscapedArg function.
 		commandLine = append(commandLine, EscapeArg(arg)...)
 	}
 	return string(commandLine)
 }
 // DecomposeCommandLine breaks apart its argument command line into unescaped parts using CommandLineToArgv,
 // as gathered from GetCommandLine, QUERY_SERVICE_CONFIG's BinaryPathName argument, or elsewhere that
 // command lines are passed around.
 // DecomposeCommandLine returns an error if commandLine contains NUL.
 func DecomposeCommandLine(commandLine string) ([]string, error) {
 	if len(commandLine) == 0 {
 		return []string{}, nil
 	}
 	utf16CommandLine, err := UTF16FromString(commandLine)
 	if err != nil {
 		return nil, errorspkg.New("string with NUL passed to DecomposeCommandLine")
 	}
 	var argc int32
 	argv, err := commandLineToArgv(&utf16CommandLine[0], &argc)
 	if err != nil {
 		return nil, err
 	}
 	defer LocalFree(Handle(unsafe.Pointer(argv)))
 	var args []string
 	for _, p := range unsafe.Slice(argv, argc) {
 		args = append(args, UTF16PtrToString(p))
 	}
 	return args, nil
 }
 // CommandLineToArgv parses a Unicode command line string and sets
 // argc to the number of parsed arguments.
 //
 // The returned memory should be freed using a single call to LocalFree.
 //
 // Note that although the return type of CommandLineToArgv indicates 8192
 // entries of up to 8192 characters each, the actual count of parsed arguments
 // may exceed 8192, and the documentation for CommandLineToArgvW does not mention
 // any bound on the lengths of the individual argument strings.
 // (See https://go.dev/issue/63236.)
 func CommandLineToArgv(cmd *uint16, argc *int32) (argv *[8192]*[8192]uint16, err error) {
 	argp, err := commandLineToArgv(cmd, argc)
 	argv = (*[8192]*[8192]uint16)(unsafe.Pointer(argp))
 	return argv, err
 }
 func CloseOnExec(fd Handle) {
 	SetHandleInformation(Handle(fd), HANDLE_FLAG_INHERIT, 0)
 }
 // FullPath retrieves the full path of the specified file.
 func FullPath(name string) (path string, err error) {
 	p, err := UTF16PtrFromString(name)
 	if err != nil {
 		return "", err
 	}
 	n := uint32(100)
 	for {
 		buf := make([]uint16, n)
 		n, err = GetFullPathName(p, uint32(len(buf)), &buf[0], nil)
 		if err != nil {
 			return "", err
 		}
 		if n <= uint32(len(buf)) {
 			return UTF16ToString(buf[:n]), nil
 		}
 	}
 }
 // NewProcThreadAttributeList allocates a new ProcThreadAttributeListContainer, with the requested maximum number of attributes.
 func NewProcThreadAttributeList(maxAttrCount uint32) (*ProcThreadAttributeListContainer, error) {
 	var size uintptr
 	err := initializeProcThreadAttributeList(nil, maxAttrCount, 0, &size)
 	if err != ERROR_INSUFFICIENT_BUFFER {
 		if err == nil {
 			return nil, errorspkg.New("unable to query buffer size from InitializeProcThreadAttributeList")
 		}
 		return nil, err
 	}
 	alloc, err := LocalAlloc(LMEM_FIXED, uint32(size))
 	if err != nil {
 		return nil, err
 	}
 	// size is guaranteed to be ≥1 by InitializeProcThreadAttributeList.
 	al := &ProcThreadAttributeListContainer{data: (*ProcThreadAttributeList)(unsafe.Pointer(alloc))}
 	err = initializeProcThreadAttributeList(al.data, maxAttrCount, 0, &size)
 	if err != nil {
 		return nil, err
 	}
 	return al, err
 }
 // Update modifies the ProcThreadAttributeList using UpdateProcThreadAttribute.
 func (al *ProcThreadAttributeListContainer) Update(attribute uintptr, value unsafe.Pointer, size uintptr) error {
 	al.pointers = append(al.pointers, value)
 	return updateProcThreadAttribute(al.data, 0, attribute, value, size, nil, nil)
 }
 // Delete frees ProcThreadAttributeList's resources.
 func (al *ProcThreadAttributeListContainer) Delete() {
 	deleteProcThreadAttributeList(al.data)
 	LocalFree(Handle(unsafe.Pointer(al.data)))
 	al.data = nil
 	al.pointers = nil
 }
 // List returns the actual ProcThreadAttributeList to be passed to StartupInfoEx.
 func (al *ProcThreadAttributeListContainer) List() *ProcThreadAttributeList {
 	return al.data
 }
@@ -0,0 +1,48 @@
 // Copyright 2017 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package windows
 const (
 	MEM_COMMIT      = 0x00001000
 	MEM_RESERVE     = 0x00002000
 	MEM_DECOMMIT    = 0x00004000
 	MEM_RELEASE     = 0x00008000
 	MEM_RESET       = 0x00080000
 	MEM_TOP_DOWN    = 0x00100000
 	MEM_WRITE_WATCH = 0x00200000
 	MEM_PHYSICAL    = 0x00400000
 	MEM_RESET_UNDO  = 0x01000000
 	MEM_LARGE_PAGES = 0x20000000
 	PAGE_NOACCESS          = 0x00000001
 	PAGE_READONLY          = 0x00000002
 	PAGE_READWRITE         = 0x00000004
 	PAGE_WRITECOPY         = 0x00000008
 	PAGE_EXECUTE           = 0x00000010
 	PAGE_EXECUTE_READ      = 0x00000020
 	PAGE_EXECUTE_READWRITE = 0x00000040
 	PAGE_EXECUTE_WRITECOPY = 0x00000080
 	PAGE_GUARD             = 0x00000100
 	PAGE_NOCACHE           = 0x00000200
 	PAGE_WRITECOMBINE      = 0x00000400
 	PAGE_TARGETS_INVALID   = 0x40000000
 	PAGE_TARGETS_NO_UPDATE = 0x40000000
 	QUOTA_LIMITS_HARDWS_MIN_DISABLE = 0x00000002
 	QUOTA_LIMITS_HARDWS_MIN_ENABLE  = 0x00000001
 	QUOTA_LIMITS_HARDWS_MAX_DISABLE = 0x00000008
 	QUOTA_LIMITS_HARDWS_MAX_ENABLE  = 0x00000004
 )
 type MemoryBasicInformation struct {
 	BaseAddress       uintptr
 	AllocationBase    uintptr
 	AllocationProtect uint32
 	PartitionId       uint16
 	RegionSize        uintptr
 	State             uint32
 	Protect           uint32
 	Type              uint32
 }
@@ -0,0 +1,70 @@
 #!/bin/bash
 # Copyright 2019 The Go Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 set -e
 shopt -s nullglob
 winerror="$(printf '%s\n' "/mnt/c/Program Files (x86)/Windows Kits/"/*/Include/*/shared/winerror.h | sort -Vr | head -n 1)"
 [[ -n $winerror ]] || { echo "Unable to find winerror.h" >&2; exit 1; }
 ntstatus="$(printf '%s\n' "/mnt/c/Program Files (x86)/Windows Kits/"/*/Include/*/shared/ntstatus.h | sort -Vr | head -n 1)"
 [[ -n $ntstatus ]] || { echo "Unable to find ntstatus.h" >&2; exit 1; }
 declare -A errors
 {
 	echo "// Code generated by 'mkerrors.bash'; DO NOT EDIT."
 	echo
 	echo "package windows"
 	echo "import \"syscall\""
 	echo "const ("
 	while read -r line; do
 		unset vtype
 		if [[ $line =~ ^#define\ +([A-Z0-9_]+k?)\ +([A-Z0-9_]+\()?([A-Z][A-Z0-9_]+k?)\)? ]]; then
 			key="${BASH_REMATCH[1]}"
 			value="${BASH_REMATCH[3]}"
 		elif [[ $line =~ ^#define\ +([A-Z0-9_]+k?)\ +([A-Z0-9_]+\()?((0x)?[0-9A-Fa-f]+)L?\)? ]]; then
 			key="${BASH_REMATCH[1]}"
 			value="${BASH_REMATCH[3]}"
 			vtype="${BASH_REMATCH[2]}"
 		elif [[ $line =~ ^#define\ +([A-Z0-9_]+k?)\ +\(\(([A-Z]+)\)((0x)?[0-9A-Fa-f]+)L?\) ]]; then
 			key="${BASH_REMATCH[1]}"
 			value="${BASH_REMATCH[3]}"
 			vtype="${BASH_REMATCH[2]}"
 		else
 			continue
 		fi
 		[[ -n $key && -n $value ]] || continue
 		[[ -z ${errors["$key"]} ]] || continue
 		errors["$key"]="$value"
 		if [[ -v vtype ]]; then
 			if [[ $key == FACILITY_* || $key == NO_ERROR ]]; then
 				vtype=""
 			elif [[ $vtype == *HANDLE* || $vtype == *HRESULT* ]]; then
 				vtype="Handle"
 			else
 				vtype="syscall.Errno"
 			fi
 			last_vtype="$vtype"
 		else
 			vtype=""
 			if [[ $last_vtype == Handle && $value == NO_ERROR ]]; then
 				value="S_OK"
 			elif [[ $last_vtype == syscall.Errno && $value == NO_ERROR ]]; then
 				value="ERROR_SUCCESS"
 			fi
 		fi
 		echo "$key $vtype = $value"
 	done < "$winerror"
 	while read -r line; do
 		[[ $line =~ ^#define\ (STATUS_[^\s]+)\ +\(\(NTSTATUS\)((0x)?[0-9a-fA-F]+)L?\) ]] || continue
 		echo "${BASH_REMATCH[1]} NTStatus = ${BASH_REMATCH[2]}"
 	done < "$ntstatus"
 	echo ")"
 } | gofmt > "zerrors_windows.go"
@@ -0,0 +1,27 @@
 #!/bin/bash
 # Copyright 2019 The Go Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 set -e
 shopt -s nullglob
 knownfolders="$(printf '%s\n' "/mnt/c/Program Files (x86)/Windows Kits/"/*/Include/*/um/KnownFolders.h | sort -Vr | head -n 1)"
 [[ -n $knownfolders ]] || { echo "Unable to find KnownFolders.h" >&2; exit 1; }
 {
 	echo "// Code generated by 'mkknownfolderids.bash'; DO NOT EDIT."
 	echo
 	echo "package windows"
 	echo "type KNOWNFOLDERID GUID"
 	echo "var ("
 	while read -r line; do
 		[[ $line =~ DEFINE_KNOWN_FOLDER\((FOLDERID_[^,]+),[\t\ ]*(0x[^,]+),[\t\ ]*(0x[^,]+),[\t\ ]*(0x[^,]+),[\t\ ]*(0x[^,]+),[\t\ ]*(0x[^,]+),[\t\ ]*(0x[^,]+),[\t\ ]*(0x[^,]+),[\t\ ]*(0x[^,]+),[\t\ ]*(0x[^,]+),[\t\ ]*(0x[^,]+),[\t\ ]*(0x[^,]+)\) ]] || continue
 		printf "%s = &KNOWNFOLDERID{0x%08x, 0x%04x, 0x%04x, [8]byte{0x%02x, 0x%02x, 0x%02x, 0x%02x, 0x%02x, 0x%02x, 0x%02x, 0x%02x}}\n" \
 			"${BASH_REMATCH[1]}" $(( "${BASH_REMATCH[2]}" )) $(( "${BASH_REMATCH[3]}" )) $(( "${BASH_REMATCH[4]}" )) \
 			$(( "${BASH_REMATCH[5]}" )) $(( "${BASH_REMATCH[6]}" )) $(( "${BASH_REMATCH[7]}" )) $(( "${BASH_REMATCH[8]}" )) \
 			$(( "${BASH_REMATCH[9]}" )) $(( "${BASH_REMATCH[10]}" )) $(( "${BASH_REMATCH[11]}" )) $(( "${BASH_REMATCH[12]}" ))
 	done < "$knownfolders"
 	echo ")"
 } | gofmt > "zknownfolderids_windows.go"
@@ -0,0 +1,9 @@
 // Copyright 2009 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build generate
 package windows
 //go:generate go run golang.org/x/sys/windows/mkwinsyscall -output zsyscall_windows.go eventlog.go service.go syscall_windows.go security_windows.go setupapi_windows.go
@@ -0,0 +1,30 @@
 // Copyright 2012 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build windows && race
 package windows
 import (
 	"runtime"
 	"unsafe"
 )
 const raceenabled = true
 func raceAcquire(addr unsafe.Pointer) {
 	runtime.RaceAcquire(addr)
 }
 func raceReleaseMerge(addr unsafe.Pointer) {
 	runtime.RaceReleaseMerge(addr)
 }
 func raceReadRange(addr unsafe.Pointer, len int) {
 	runtime.RaceReadRange(addr, len)
 }
 func raceWriteRange(addr unsafe.Pointer, len int) {
 	runtime.RaceWriteRange(addr, len)
 }
@@ -0,0 +1,25 @@
 // Copyright 2012 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build windows && !race
 package windows
 import (
 	"unsafe"
 )
 const raceenabled = false
 func raceAcquire(addr unsafe.Pointer) {
 }
 func raceReleaseMerge(addr unsafe.Pointer) {
 }
 func raceReadRange(addr unsafe.Pointer, len int) {
 }
 func raceWriteRange(addr unsafe.Pointer, len int) {
 }
@@ -0,0 +1,257 @@
 // Copyright 2012 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build windows
 package windows
 const (
 	SC_MANAGER_CONNECT            = 1
 	SC_MANAGER_CREATE_SERVICE     = 2
 	SC_MANAGER_ENUMERATE_SERVICE  = 4
 	SC_MANAGER_LOCK               = 8
 	SC_MANAGER_QUERY_LOCK_STATUS  = 16
 	SC_MANAGER_MODIFY_BOOT_CONFIG = 32
 	SC_MANAGER_ALL_ACCESS         = 0xf003f
 )
 const (
 	SERVICE_KERNEL_DRIVER       = 1
 	SERVICE_FILE_SYSTEM_DRIVER  = 2
 	SERVICE_ADAPTER             = 4
 	SERVICE_RECOGNIZER_DRIVER   = 8
 	SERVICE_WIN32_OWN_PROCESS   = 16
 	SERVICE_WIN32_SHARE_PROCESS = 32
 	SERVICE_WIN32               = SERVICE_WIN32_OWN_PROCESS | SERVICE_WIN32_SHARE_PROCESS
 	SERVICE_INTERACTIVE_PROCESS = 256
 	SERVICE_DRIVER              = SERVICE_KERNEL_DRIVER | SERVICE_FILE_SYSTEM_DRIVER | SERVICE_RECOGNIZER_DRIVER
 	SERVICE_TYPE_ALL            = SERVICE_WIN32 | SERVICE_ADAPTER | SERVICE_DRIVER | SERVICE_INTERACTIVE_PROCESS
 	SERVICE_BOOT_START   = 0
 	SERVICE_SYSTEM_START = 1
 	SERVICE_AUTO_START   = 2
 	SERVICE_DEMAND_START = 3
 	SERVICE_DISABLED     = 4
 	SERVICE_ERROR_IGNORE   = 0
 	SERVICE_ERROR_NORMAL   = 1
 	SERVICE_ERROR_SEVERE   = 2
 	SERVICE_ERROR_CRITICAL = 3
 	SC_STATUS_PROCESS_INFO = 0
 	SC_ACTION_NONE        = 0
 	SC_ACTION_RESTART     = 1
 	SC_ACTION_REBOOT      = 2
 	SC_ACTION_RUN_COMMAND = 3
 	SERVICE_STOPPED          = 1
 	SERVICE_START_PENDING    = 2
 	SERVICE_STOP_PENDING     = 3
 	SERVICE_RUNNING          = 4
 	SERVICE_CONTINUE_PENDING = 5
 	SERVICE_PAUSE_PENDING    = 6
 	SERVICE_PAUSED           = 7
 	SERVICE_NO_CHANGE        = 0xffffffff
 	SERVICE_ACCEPT_STOP                  = 1
 	SERVICE_ACCEPT_PAUSE_CONTINUE        = 2
 	SERVICE_ACCEPT_SHUTDOWN              = 4
 	SERVICE_ACCEPT_PARAMCHANGE           = 8
 	SERVICE_ACCEPT_NETBINDCHANGE         = 16
 	SERVICE_ACCEPT_HARDWAREPROFILECHANGE = 32
 	SERVICE_ACCEPT_POWEREVENT            = 64
 	SERVICE_ACCEPT_SESSIONCHANGE         = 128
 	SERVICE_ACCEPT_PRESHUTDOWN           = 256
 	SERVICE_CONTROL_STOP                  = 1
 	SERVICE_CONTROL_PAUSE                 = 2
 	SERVICE_CONTROL_CONTINUE              = 3
 	SERVICE_CONTROL_INTERROGATE           = 4
 	SERVICE_CONTROL_SHUTDOWN              = 5
 	SERVICE_CONTROL_PARAMCHANGE           = 6
 	SERVICE_CONTROL_NETBINDADD            = 7
 	SERVICE_CONTROL_NETBINDREMOVE         = 8
 	SERVICE_CONTROL_NETBINDENABLE         = 9
 	SERVICE_CONTROL_NETBINDDISABLE        = 10
 	SERVICE_CONTROL_DEVICEEVENT           = 11
 	SERVICE_CONTROL_HARDWAREPROFILECHANGE = 12
 	SERVICE_CONTROL_POWEREVENT            = 13
 	SERVICE_CONTROL_SESSIONCHANGE         = 14
 	SERVICE_CONTROL_PRESHUTDOWN           = 15
 	SERVICE_ACTIVE    = 1
 	SERVICE_INACTIVE  = 2
 	SERVICE_STATE_ALL = 3
 	SERVICE_QUERY_CONFIG         = 1
 	SERVICE_CHANGE_CONFIG        = 2
 	SERVICE_QUERY_STATUS         = 4
 	SERVICE_ENUMERATE_DEPENDENTS = 8
 	SERVICE_START                = 16
 	SERVICE_STOP                 = 32
 	SERVICE_PAUSE_CONTINUE       = 64
 	SERVICE_INTERROGATE          = 128
 	SERVICE_USER_DEFINED_CONTROL = 256
 	SERVICE_ALL_ACCESS           = STANDARD_RIGHTS_REQUIRED | SERVICE_QUERY_CONFIG | SERVICE_CHANGE_CONFIG | SERVICE_QUERY_STATUS | SERVICE_ENUMERATE_DEPENDENTS | SERVICE_START | SERVICE_STOP | SERVICE_PAUSE_CONTINUE | SERVICE_INTERROGATE | SERVICE_USER_DEFINED_CONTROL
 	SERVICE_RUNS_IN_SYSTEM_PROCESS = 1
 	SERVICE_CONFIG_DESCRIPTION              = 1
 	SERVICE_CONFIG_FAILURE_ACTIONS          = 2
 	SERVICE_CONFIG_DELAYED_AUTO_START_INFO  = 3
 	SERVICE_CONFIG_FAILURE_ACTIONS_FLAG     = 4
 	SERVICE_CONFIG_SERVICE_SID_INFO         = 5
 	SERVICE_CONFIG_REQUIRED_PRIVILEGES_INFO = 6
 	SERVICE_CONFIG_PRESHUTDOWN_INFO         = 7
 	SERVICE_CONFIG_TRIGGER_INFO             = 8
 	SERVICE_CONFIG_PREFERRED_NODE           = 9
 	SERVICE_CONFIG_LAUNCH_PROTECTED         = 12
 	SERVICE_SID_TYPE_NONE         = 0
 	SERVICE_SID_TYPE_UNRESTRICTED = 1
 	SERVICE_SID_TYPE_RESTRICTED   = 2 | SERVICE_SID_TYPE_UNRESTRICTED
 	SC_ENUM_PROCESS_INFO = 0
 	SERVICE_NOTIFY_STATUS_CHANGE    = 2
 	SERVICE_NOTIFY_STOPPED          = 0x00000001
 	SERVICE_NOTIFY_START_PENDING    = 0x00000002
 	SERVICE_NOTIFY_STOP_PENDING     = 0x00000004
 	SERVICE_NOTIFY_RUNNING          = 0x00000008
 	SERVICE_NOTIFY_CONTINUE_PENDING = 0x00000010
 	SERVICE_NOTIFY_PAUSE_PENDING    = 0x00000020
 	SERVICE_NOTIFY_PAUSED           = 0x00000040
 	SERVICE_NOTIFY_CREATED          = 0x00000080
 	SERVICE_NOTIFY_DELETED          = 0x00000100
 	SERVICE_NOTIFY_DELETE_PENDING   = 0x00000200
 	SC_EVENT_DATABASE_CHANGE = 0
 	SC_EVENT_PROPERTY_CHANGE = 1
 	SC_EVENT_STATUS_CHANGE   = 2
 	SERVICE_START_REASON_DEMAND             = 0x00000001
 	SERVICE_START_REASON_AUTO               = 0x00000002
 	SERVICE_START_REASON_TRIGGER            = 0x00000004
 	SERVICE_START_REASON_RESTART_ON_FAILURE = 0x00000008
 	SERVICE_START_REASON_DELAYEDAUTO        = 0x00000010
 	SERVICE_DYNAMIC_INFORMATION_LEVEL_START_REASON = 1
 )
 type ENUM_SERVICE_STATUS struct {
 	ServiceName   *uint16
 	DisplayName   *uint16
 	ServiceStatus SERVICE_STATUS
 }
 type SERVICE_STATUS struct {
 	ServiceType             uint32
 	CurrentState            uint32
 	ControlsAccepted        uint32
 	Win32ExitCode           uint32
 	ServiceSpecificExitCode uint32
 	CheckPoint              uint32
 	WaitHint                uint32
 }
 type SERVICE_TABLE_ENTRY struct {
 	ServiceName *uint16
 	ServiceProc uintptr
 }
 type QUERY_SERVICE_CONFIG struct {
 	ServiceType      uint32
 	StartType        uint32
 	ErrorControl     uint32
 	BinaryPathName   *uint16
 	LoadOrderGroup   *uint16
 	TagId            uint32
 	Dependencies     *uint16
 	ServiceStartName *uint16
 	DisplayName      *uint16
 }
 type SERVICE_DESCRIPTION struct {
 	Description *uint16
 }
 type SERVICE_DELAYED_AUTO_START_INFO struct {
 	IsDelayedAutoStartUp uint32
 }
 type SERVICE_STATUS_PROCESS struct {
 	ServiceType             uint32
 	CurrentState            uint32
 	ControlsAccepted        uint32
 	Win32ExitCode           uint32
 	ServiceSpecificExitCode uint32
 	CheckPoint              uint32
 	WaitHint                uint32
 	ProcessId               uint32
 	ServiceFlags            uint32
 }
 type ENUM_SERVICE_STATUS_PROCESS struct {
 	ServiceName          *uint16
 	DisplayName          *uint16
 	ServiceStatusProcess SERVICE_STATUS_PROCESS
 }
 type SERVICE_NOTIFY struct {
 	Version               uint32
 	NotifyCallback        uintptr
 	Context               uintptr
 	NotificationStatus    uint32
 	ServiceStatus         SERVICE_STATUS_PROCESS
 	NotificationTriggered uint32
 	ServiceNames          *uint16
 }
 type SERVICE_FAILURE_ACTIONS struct {
 	ResetPeriod  uint32
 	RebootMsg    *uint16
 	Command      *uint16
 	ActionsCount uint32
 	Actions      *SC_ACTION
 }
 type SERVICE_FAILURE_ACTIONS_FLAG struct {
 	FailureActionsOnNonCrashFailures int32
 }
 type SC_ACTION struct {
 	Type  uint32
 	Delay uint32
 }
 type QUERY_SERVICE_LOCK_STATUS struct {
 	IsLocked     uint32
 	LockOwner    *uint16
 	LockDuration uint32
 }
 //sys	OpenSCManager(machineName *uint16, databaseName *uint16, access uint32) (handle Handle, err error) [failretval==0] = advapi32.OpenSCManagerW
 //sys	CloseServiceHandle(handle Handle) (err error) = advapi32.CloseServiceHandle
 //sys	CreateService(mgr Handle, serviceName *uint16, displayName *uint16, access uint32, srvType uint32, startType uint32, errCtl uint32, pathName *uint16, loadOrderGroup *uint16, tagId *uint32, dependencies *uint16, serviceStartName *uint16, password *uint16) (handle Handle, err error) [failretval==0] = advapi32.CreateServiceW
 //sys	OpenService(mgr Handle, serviceName *uint16, access uint32) (handle Handle, err error) [failretval==0] = advapi32.OpenServiceW
 //sys	DeleteService(service Handle) (err error) = advapi32.DeleteService
 //sys	StartService(service Handle, numArgs uint32, argVectors **uint16) (err error) = advapi32.StartServiceW
 //sys	QueryServiceStatus(service Handle, status *SERVICE_STATUS) (err error) = advapi32.QueryServiceStatus
 //sys	QueryServiceLockStatus(mgr Handle, lockStatus *QUERY_SERVICE_LOCK_STATUS, bufSize uint32, bytesNeeded *uint32) (err error) = advapi32.QueryServiceLockStatusW
 //sys	ControlService(service Handle, control uint32, status *SERVICE_STATUS) (err error) = advapi32.ControlService
 //sys	StartServiceCtrlDispatcher(serviceTable *SERVICE_TABLE_ENTRY) (err error) = advapi32.StartServiceCtrlDispatcherW
 //sys	SetServiceStatus(service Handle, serviceStatus *SERVICE_STATUS) (err error) = advapi32.SetServiceStatus
 //sys	ChangeServiceConfig(service Handle, serviceType uint32, startType uint32, errorControl uint32, binaryPathName *uint16, loadOrderGroup *uint16, tagId *uint32, dependencies *uint16, serviceStartName *uint16, password *uint16, displayName *uint16) (err error) = advapi32.ChangeServiceConfigW
 //sys	QueryServiceConfig(service Handle, serviceConfig *QUERY_SERVICE_CONFIG, bufSize uint32, bytesNeeded *uint32) (err error) = advapi32.QueryServiceConfigW
 //sys	ChangeServiceConfig2(service Handle, infoLevel uint32, info *byte) (err error) = advapi32.ChangeServiceConfig2W
 //sys	QueryServiceConfig2(service Handle, infoLevel uint32, buff *byte, buffSize uint32, bytesNeeded *uint32) (err error) = advapi32.QueryServiceConfig2W
 //sys	EnumServicesStatusEx(mgr Handle, infoLevel uint32, serviceType uint32, serviceState uint32, services *byte, bufSize uint32, bytesNeeded *uint32, servicesReturned *uint32, resumeHandle *uint32, groupName *uint16) (err error) = advapi32.EnumServicesStatusExW
 //sys	QueryServiceStatusEx(service Handle, infoLevel uint32, buff *byte, buffSize uint32, bytesNeeded *uint32) (err error) = advapi32.QueryServiceStatusEx
 //sys	NotifyServiceStatusChange(service Handle, notifyMask uint32, notifier *SERVICE_NOTIFY) (ret error) = advapi32.NotifyServiceStatusChangeW
 //sys	SubscribeServiceChangeNotifications(service Handle, eventType uint32, callback uintptr, callbackCtx uintptr, subscription *uintptr) (ret error) = sechost.SubscribeServiceChangeNotifications?
 //sys	UnsubscribeServiceChangeNotifications(subscription uintptr) = sechost.UnsubscribeServiceChangeNotifications?
 //sys	RegisterServiceCtrlHandlerEx(serviceName *uint16, handlerProc uintptr, context uintptr) (handle Handle, err error) = advapi32.RegisterServiceCtrlHandlerExW
 //sys	QueryServiceDynamicInformation(service Handle, infoLevel uint32, dynamicInfo unsafe.Pointer) (err error) = advapi32.QueryServiceDynamicInformation?
 //sys	EnumDependentServices(service Handle, activityState uint32, services *ENUM_SERVICE_STATUS, buffSize uint32, bytesNeeded *uint32, servicesReturned *uint32) (err error) = advapi32.EnumDependentServicesW
@@ -0,0 +1,22 @@
 // Copyright 2009 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build windows
 package windows
 func itoa(val int) string { // do it here rather than with fmt to avoid dependency
 	if val < 0 {
 		return "-" + itoa(-val)
 	}
 	var buf [32]byte // big enough for int64
 	i := len(buf) - 1
 	for val >= 10 {
 		buf[i] = byte(val%10 + '0')
 		i--
 		val /= 10
 	}
 	buf[i] = byte(val + '0')
 	return string(buf[i:])
 }
@@ -0,0 +1,104 @@
 // Copyright 2009 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build windows
 // Package windows contains an interface to the low-level operating system
 // primitives. OS details vary depending on the underlying system, and
 // by default, godoc will display the OS-specific documentation for the current
 // system. If you want godoc to display syscall documentation for another
 // system, set $GOOS and $GOARCH to the desired system. For example, if
 // you want to view documentation for freebsd/arm on linux/amd64, set $GOOS
 // to freebsd and $GOARCH to arm.
 //
 // The primary use of this package is inside other packages that provide a more
 // portable interface to the system, such as "os", "time" and "net".  Use
 // those packages rather than this one if you can.
 //
 // For details of the functions and data types in this package consult
 // the manuals for the appropriate operating system.
 //
 // These calls return err == nil to indicate success; otherwise
 // err represents an operating system error describing the failure and
 // holds a value of type syscall.Errno.
 package windows // import "golang.org/x/sys/windows"
 import (
 	"bytes"
 	"strings"
 	"syscall"
 	"unsafe"
 )
 // ByteSliceFromString returns a NUL-terminated slice of bytes
 // containing the text of s. If s contains a NUL byte at any
 // location, it returns (nil, syscall.EINVAL).
 func ByteSliceFromString(s string) ([]byte, error) {
 	if strings.IndexByte(s, 0) != -1 {
 		return nil, syscall.EINVAL
 	}
 	a := make([]byte, len(s)+1)
 	copy(a, s)
 	return a, nil
 }
 // BytePtrFromString returns a pointer to a NUL-terminated array of
 // bytes containing the text of s. If s contains a NUL byte at any
 // location, it returns (nil, syscall.EINVAL).
 func BytePtrFromString(s string) (*byte, error) {
 	a, err := ByteSliceFromString(s)
 	if err != nil {
 		return nil, err
 	}
 	return &a[0], nil
 }
 // ByteSliceToString returns a string form of the text represented by the slice s, with a terminating NUL and any
 // bytes after the NUL removed.
 func ByteSliceToString(s []byte) string {
 	if i := bytes.IndexByte(s, 0); i != -1 {
 		s = s[:i]
 	}
 	return string(s)
 }
 // BytePtrToString takes a pointer to a sequence of text and returns the corresponding string.
 // If the pointer is nil, it returns the empty string. It assumes that the text sequence is terminated
 // at a zero byte; if the zero byte is not present, the program may crash.
 func BytePtrToString(p *byte) string {
 	if p == nil {
 		return ""
 	}
 	if *p == 0 {
 		return ""
 	}
 	// Find NUL terminator.
 	n := 0
 	for ptr := unsafe.Pointer(p); *(*byte)(ptr) != 0; n++ {
 		ptr = unsafe.Pointer(uintptr(ptr) + 1)
 	}
 	return string(unsafe.Slice(p, n))
 }
 // Single-word zero for use when we need a valid pointer to 0 bytes.
 // See mksyscall.pl.
 var _zero uintptr
 func (ts *Timespec) Unix() (sec int64, nsec int64) {
 	return int64(ts.Sec), int64(ts.Nsec)
 }
 func (tv *Timeval) Unix() (sec int64, nsec int64) {
 	return int64(tv.Sec), int64(tv.Usec) * 1000
 }
 func (ts *Timespec) Nano() int64 {
 	return int64(ts.Sec)*1e9 + int64(ts.Nsec)
 }
 func (tv *Timeval) Nano() int64 {
 	return int64(tv.Sec)*1e9 + int64(tv.Usec)*1000
 }
@@ -0,0 +1,35 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package windows
 type WSAData struct {
 	Version      uint16
 	HighVersion  uint16
 	Description  [WSADESCRIPTION_LEN + 1]byte
 	SystemStatus [WSASYS_STATUS_LEN + 1]byte
 	MaxSockets   uint16
 	MaxUdpDg     uint16
 	VendorInfo   *byte
 }
 type Servent struct {
 	Name    *byte
 	Aliases **byte
 	Port    uint16
 	Proto   *byte
 }
 type JOBOBJECT_BASIC_LIMIT_INFORMATION struct {
 	PerProcessUserTimeLimit int64
 	PerJobUserTimeLimit     int64
 	LimitFlags              uint32
 	MinimumWorkingSetSize   uintptr
 	MaximumWorkingSetSize   uintptr
 	ActiveProcessLimit      uint32
 	Affinity                uintptr
 	PriorityClass           uint32
 	SchedulingClass         uint32
 	_                       uint32 // pad to 8 byte boundary
 }
@@ -0,0 +1,34 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package windows
 type WSAData struct {
 	Version      uint16
 	HighVersion  uint16
 	MaxSockets   uint16
 	MaxUdpDg     uint16
 	VendorInfo   *byte
 	Description  [WSADESCRIPTION_LEN + 1]byte
 	SystemStatus [WSASYS_STATUS_LEN + 1]byte
 }
 type Servent struct {
 	Name    *byte
 	Aliases **byte
 	Proto   *byte
 	Port    uint16
 }
 type JOBOBJECT_BASIC_LIMIT_INFORMATION struct {
 	PerProcessUserTimeLimit int64
 	PerJobUserTimeLimit     int64
 	LimitFlags              uint32
 	MinimumWorkingSetSize   uintptr
 	MaximumWorkingSetSize   uintptr
 	ActiveProcessLimit      uint32
 	Affinity                uintptr
 	PriorityClass           uint32
 	SchedulingClass         uint32
 }
@@ -0,0 +1,35 @@
 // Copyright 2018 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package windows
 type WSAData struct {
 	Version      uint16
 	HighVersion  uint16
 	Description  [WSADESCRIPTION_LEN + 1]byte
 	SystemStatus [WSASYS_STATUS_LEN + 1]byte
 	MaxSockets   uint16
 	MaxUdpDg     uint16
 	VendorInfo   *byte
 }
 type Servent struct {
 	Name    *byte
 	Aliases **byte
 	Port    uint16
 	Proto   *byte
 }
 type JOBOBJECT_BASIC_LIMIT_INFORMATION struct {
 	PerProcessUserTimeLimit int64
 	PerJobUserTimeLimit     int64
 	LimitFlags              uint32
 	MinimumWorkingSetSize   uintptr
 	MaximumWorkingSetSize   uintptr
 	ActiveProcessLimit      uint32
 	Affinity                uintptr
 	PriorityClass           uint32
 	SchedulingClass         uint32
 	_                       uint32 // pad to 8 byte boundary
 }
--- a/Show More
+++ b/Show More