diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9b97d973..b11269e0 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -31,6 +31,7 @@ jobs:
         pkg:
           - buildx
           - compose
+          - credential-helpers
     steps:
       -
         name: Checkout
@@ -44,7 +45,7 @@ jobs:
       -
         name: Build
         run: |
-          make -C pkg/${{ matrix.pkg }} all
+          make -j$(nproc) -C pkg/${{ matrix.pkg }} all
       -
         name: List artifacts
         run: |
@@ -60,4 +61,4 @@ jobs:
       -
         name: List release artifacts
         run: |
-          tree -nh /tmp/release
+          tree /tmp/release
diff --git a/pkg/credential-helpers/.gitignore b/pkg/credential-helpers/.gitignore
new file mode 100644
index 00000000..5e56e040
--- /dev/null
+++ b/pkg/credential-helpers/.gitignore
@@ -0,0 +1 @@
+/bin
diff --git a/pkg/credential-helpers/Dockerfile b/pkg/credential-helpers/Dockerfile
new file mode 100644
index 00000000..8fc76277
--- /dev/null
+++ b/pkg/credential-helpers/Dockerfile
@@ -0,0 +1,337 @@
+# syntax=docker/dockerfile:1
+
+# Copyright 2022 Docker Packaging authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ARG XX_VERSION="1.1.2"
+ARG ALPINE_VERSION="3.16"
+ARG OSXCROSS_VERSION="11.3-r7-debian"
+ARG DEBIAN_FRONTEND="noninteractive"
+
+# go
+ARG GO_IMAGE="golang"
+ARG GO_VERSION="1.18.5"
+ARG GO_IMAGE_VARIANT="buster"
+
+# pkg matrix
+ARG PKG_RELEASE="debian11"
+ARG PKG_TYPE="deb"
+ARG PKG_DISTRO="debian"
+ARG PKG_SUITE="bullseye"
+ARG PKG_BASE_IMAGE="debian:bullseye"
+
+# deb specific
+ARG PKG_DEB_EPOCH="5"
+ARG PKG_DEB_REVISION="0"
+
+# rpm specific
+ARG PKG_RPM_RELEASE="1"
+
+# cross compilation helper
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
+
+# osxcross contains the MacOSX cross toolchain for xx
+FROM crazymax/osxcross:${OSXCROSS_VERSION} AS osxcross
+
+# go base image to retrieve /usr/local/go
+FROM --platform=$BUILDPLATFORM ${GO_IMAGE}:${GO_VERSION}-${GO_IMAGE_VARIANT} AS go
+
+# dummy stage for unsupported platforms
+FROM --platform=$BUILDPLATFORM busybox AS builder-dummy
+RUN mkdir -p /out
+FROM scratch AS build-dummy
+COPY --from=builder-dummy /out /out
+
+# base stage for fetching sources and create final release
+FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS base
+RUN apk add --no-cache bash curl file git zip tar
+
+FROM base AS src
+WORKDIR /src
+ARG CREDENTIAL_HELPERS_REPO
+RUN git init . && git remote add origin "${CREDENTIAL_HELPERS_REPO}"
+ARG CREDENTIAL_HELPERS_VERSION
+RUN git fetch origin "${CREDENTIAL_HELPERS_VERSION}" +refs/heads/*:refs/remotes/origin/* +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD
+
+FROM base AS src-tgz
+RUN --mount=from=src,source=/src,target=/docker-credential-helpers \
+    mkdir /out && tar -C / -zcf /out/docker-credential-helpers.tgz --exclude .git docker-credential-helpers
+
+# deb
+FROM --platform=$BUILDPLATFORM ${PKG_BASE_IMAGE} AS build-base-deb
+COPY --from=xx / /
+ARG DEBIAN_FRONTEND="noninteractive"
+RUN --mount=type=cache,sharing=locked,id=build-base-deb-aptlib,target=/var/lib/apt \
+    --mount=type=cache,sharing=locked,id=build-base-deb-aptcache,target=/var/cache/apt \
+    apt-get update && apt-get install -y bash curl devscripts equivs git
+ENV GOPROXY="https://proxy.golang.org|direct"
+ENV GOPATH="/go"
+ENV PATH="$PATH:/usr/local/go/bin:$GOPATH/bin"
+ARG PKG_RELEASE
+RUN <<EOT
+  case "$PKG_RELEASE" in
+    ubuntu2004|ubuntu2204)
+      if [ "$(dpkg-divert --truename /usr/bin/man)" = "/usr/bin/man.REAL" ]; then
+        rm -f /usr/bin/man
+        dpkg-divert --quiet --remove --rename /usr/bin/man
+      fi
+      ;;
+  esac
+EOT
+
+FROM build-base-deb AS build-deb
+COPY deb /root/package/debian
+ARG TARGETPLATFORM
+RUN --mount=type=cache,sharing=locked,id=build-deb-aptlib,target=/var/lib/apt \
+    --mount=type=cache,sharing=locked,id=build-deb-aptcache,target=/var/cache/apt \
+    mk-build-deps -t "xx-apt-get -o Debug::pkgProblemResolver=yes -y" -i /root/package/debian/control
+WORKDIR /root/package
+COPY --from=src /src ./docker-credential-helpers
+ARG CREDENTIAL_HELPERS_VERSION
+ARG PKG_RELEASE
+ARG PKG_DISTRO
+ARG PKG_SUITE
+ARG PKG_PACKAGER
+ARG PKG_DEB_REVISION
+ARG PKG_DEB_EPOCH
+ARG SOURCE_DATE_EPOCH
+RUN --mount=type=bind,from=go,source=/usr/local/go,target=/usr/local/go \
+    --mount=type=cache,target=/root/.cache \
+    --mount=type=cache,target=/go/pkg/mod <<EOT
+  set -e
+  mkdir -p /out
+  if [ "$(xx-info arch)" != "$(TARGETPLATFORM= xx-info arch)" ]; then
+    echo "$(xx-info arch) architecture is not supported"
+    exit 0
+  fi
+  debVersion=${CREDENTIAL_HELPERS_VERSION#v}
+  debVersion=$(echo $debVersion | sed "s/-/~/")
+  cat > "debian/changelog" <<-EOF
+docker-credential-helpers (${PKG_DEB_EPOCH}$([ -n "$PKG_DEB_EPOCH" ] && echo ":")${debVersion}-${PKG_DEB_REVISION}) $PKG_SUITE; urgency=low
+  * Version: $CREDENTIAL_HELPERS_VERSION
+ -- $(awk -F ': ' '$1 == "Maintainer" { print $2; exit }' debian/control)  $(date --rfc-2822)
+EOF
+  xx-go --wrap
+  set -x
+  chmod -x debian/compat debian/control debian/docs
+  dpkg-buildpackage -us -uc -a$(xx-info debian-arch) -Pcross,nocheck
+  pkgoutput="/out/${PKG_DISTRO}/${PKG_SUITE}/$(xx-info arch)"
+  if [ -n "$(xx-info variant)" ]; then
+    pkgoutput="${pkgoutput}/$(xx-info variant)"
+  fi
+  mkdir -p "${pkgoutput}"
+  cp /root/docker-credential-* ${pkgoutput}/
+EOT
+
+FROM build-dummy AS builder-deb-darwin
+FROM build-deb AS builder-deb-linux
+FROM build-dummy AS builder-deb-windows
+FROM builder-deb-${TARGETOS} AS builder-deb
+
+# rpm
+FROM --platform=$BUILDPLATFORM ${PKG_BASE_IMAGE} AS build-base-rpm
+COPY --from=xx / /
+ENV GOPROXY="https://proxy.golang.org|direct"
+ENV GOPATH="/go"
+ENV PATH="$PATH:/usr/local/go/bin:$GOPATH/bin"
+ARG PKG_RELEASE
+RUN --mount=type=cache,sharing=locked,id=build-base-rpm-dnfcache,target=/var/cache/dnf \
+    --mount=type=cache,sharing=locked,id=build-base-rpm-yumcache,target=/var/cache/yum <<EOT
+  case "$PKG_RELEASE" in
+    centos7|oraclelinux7)
+      [ -f /etc/yum.repos.d/CentOS-Sources.repo ] && sed -i 's/altarch/centos/g' /etc/yum.repos.d/CentOS-Sources.repo
+      yum install -y rpm-build rpmlint
+      ;;
+    centos8)
+      [ -f /etc/yum.repos.d/CentOS-Stream-Sources.repo ] && sed -i 's/altarch/centos/g' /etc/yum.repos.d/CentOS-Stream-Sources.repo
+      [ -f /etc/yum.repos.d/CentOS-Stream-PowerTools.repo ] && sed -i 's/enabled=0/enabled=1/g' /etc/yum.repos.d/CentOS-Stream-PowerTools.repo
+      rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
+      dnf install -y rpm-build rpmlint dnf-plugins-core
+      ;;
+    centos9)
+      rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
+      dnf install -y rpm-build rpmlint dnf-plugins-core
+      dnf config-manager --set-enabled crb
+      ;;
+    fedora*|oraclelinux8|oraclelinux9)
+      dnf install -y rpm-build rpmlint dnf-plugins-core
+      ;;
+  esac
+EOT
+
+FROM build-base-rpm AS build-rpm
+COPY rpm /root/rpmbuild/SPECS
+ARG TARGETPLATFORM
+RUN --mount=type=cache,sharing=locked,id=build-rpm-dnfcache,target=/var/cache/dnf \
+    --mount=type=cache,sharing=locked,id=build-rpm-yumcache,target=/var/cache/yum <<EOT
+  set -e
+  case "$PKG_RELEASE" in
+    centos7|oraclelinux7)
+      yum-builddep -y /root/rpmbuild/SPECS/*.spec
+      ;;
+    *)
+      dnf builddep -y /root/rpmbuild/SPECS/*.spec
+      ;;
+  esac
+EOT
+WORKDIR /root/rpmbuild
+COPY --from=src-tgz /out/docker-credential-helpers.tgz ./SOURCES/
+ARG CREDENTIAL_HELPERS_VERSION
+ARG PKG_RELEASE
+ARG PKG_DISTRO
+ARG PKG_SUITE
+ARG PKG_PACKAGER
+ARG PKG_RPM_RELEASE
+ARG SOURCE_DATE_EPOCH
+RUN --mount=type=bind,from=go,source=/usr/local/go,target=/usr/local/go \
+    --mount=type=bind,from=src,source=/src,target=/usr/local/src/docker-credential-helpers \
+    --mount=type=cache,target=/root/.cache \
+    --mount=type=cache,target=/go/pkg/mod <<EOT
+  set -e
+  mkdir -p /out
+  if [ "$(xx-info arch)" != "$(TARGETPLATFORM= xx-info arch)" ]; then
+    echo "$(xx-info arch) architecture is not supported"
+    exit 0
+  fi
+  rpmVersion=${CREDENTIAL_HELPERS_VERSION#v}
+  rpmVersion=$(echo $rpmVersion | sed "s/-/~/")
+  xx-go --wrap
+  set -x
+  rpmbuild -ba \
+    --define "_version ${rpmVersion}" \
+    --define "_origversion ${CREDENTIAL_HELPERS_VERSION#v}" \
+    --define "_release $PKG_RPM_RELEASE" \
+    --define "_commit $(git -C /usr/local/src/docker-credential-helpers rev-parse HEAD)" \
+    /root/rpmbuild/SPECS/*.spec
+  pkgoutput="/out/${PKG_DISTRO}/${PKG_SUITE}/$(xx-info arch)"
+  if [ -n "$(xx-info variant)" ]; then
+    pkgoutput="${pkgoutput}/$(xx-info variant)"
+  fi
+  mkdir -p "${pkgoutput}"
+  cp ./RPMS/*/*.* ./SRPMS/* ${pkgoutput}/
+EOT
+
+FROM build-dummy AS builder-rpm-darwin
+FROM build-rpm AS builder-rpm-linux
+FROM build-dummy AS builder-rpm-windows
+FROM builder-rpm-${TARGETOS} AS builder-rpm
+
+# static
+FROM --platform=$BUILDPLATFORM ${PKG_BASE_IMAGE} AS build-base-static
+COPY --from=xx / /
+ARG DEBIAN_FRONTEND
+RUN --mount=type=cache,sharing=locked,id=build-base-static-aptlib,target=/var/lib/apt \
+    --mount=type=cache,sharing=locked,id=build-base-static-aptcache,target=/var/cache/apt \
+    apt-get update && apt-get install -y --no-install-recommends clang dpkg-dev file git lld llvm make pkg-config
+ENV GOPROXY="https://proxy.golang.org|direct"
+ENV GOPATH="/go"
+ENV PATH="$PATH:/usr/local/go/bin:$GOPATH/bin"
+ENV CGO_ENABLED="1"
+ARG TARGETPLATFORM
+RUN xx-apt-get install -y binutils gcc libc6-dev libgcc-10-dev libsecret-1-dev pkg-config
+
+FROM build-base-static AS build-static-linux
+ARG TARGETPLATFORM
+ARG CREDENTIAL_HELPERS_VERSION
+WORKDIR /src
+RUN --mount=type=bind,from=src,source=/src,target=.,rw \
+    --mount=type=bind,from=go,source=/usr/local/go,target=/usr/local/go,rw \
+    --mount=type=cache,target=/root/.cache \
+    --mount=type=cache,target=/go/pkg/mod <<EOT
+  set -e
+  xx-go --wrap
+  make build-pass build-secretservice VERSION=$CREDENTIAL_HELPERS_VERSION DESTDIR=/out
+  xx-verify /out/docker-credential-pass
+  xx-verify /out/docker-credential-secretservice
+EOT
+
+FROM build-base-static AS build-static-darwin
+ARG TARGETPLATFORM
+ARG CREDENTIAL_HELPERS_VERSION
+WORKDIR /src
+RUN --mount=type=bind,from=src,source=/src,target=.,rw \
+    --mount=type=bind,from=go,source=/usr/local/go,target=/usr/local/go,rw \
+    --mount=type=cache,target=/root/.cache \
+    --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=bind,from=osxcross,src=/osxsdk,target=/xx-sdk <<EOT
+  set -e
+  xx-go --wrap
+  go install std
+  make build-osxkeychain build-pass VERSION=$CREDENTIAL_HELPERS_VERSION DESTDIR=/out
+  xx-verify /out/docker-credential-osxkeychain
+  xx-verify /out/docker-credential-pass
+EOT
+
+FROM build-base-static AS build-static-windows
+ARG TARGETPLATFORM
+ARG CREDENTIAL_HELPERS_VERSION
+WORKDIR /src
+RUN --mount=type=bind,from=src,source=/src,target=.,rw \
+    --mount=type=bind,from=go,source=/usr/local/go,target=/usr/local/go,rw \
+    --mount=type=cache,target=/root/.cache \
+    --mount=type=cache,target=/go/pkg/mod <<EOT
+  set -e
+  xx-go --wrap
+  make build-wincred VERSION=$CREDENTIAL_HELPERS_VERSION DESTDIR=/out
+  mv /out/docker-credential-wincred /out/docker-credential-wincred.exe
+  xx-verify /out/docker-credential-wincred.exe
+EOT
+
+FROM build-static-${TARGETOS} AS build-static
+
+FROM build-base-static AS builder-static
+ARG DEBIAN_FRONTEND
+RUN --mount=type=cache,sharing=locked,id=build-static-aptlib,target=/var/lib/apt \
+    --mount=type=cache,sharing=locked,id=build-static-aptcache,target=/var/cache/apt \
+    apt-get update && apt-get install -y --no-install-recommends bash file zip tar
+WORKDIR /build
+ARG TARGETOS
+ARG TARGETARCH
+ARG TARGETVARIANT
+ARG CREDENTIAL_HELPERS_VERSION
+RUN --mount=type=bind,from=src,source=/src,target=/src \
+    --mount=type=bind,from=build-static,source=/out,target=/build <<EOT
+  set -e
+  pkgoutput="/out/$(xx-info os)/static/$(xx-info arch)"
+  if [ -n "$(xx-info variant)" ]; then
+    pkgoutput="${pkgoutput}/$(xx-info variant)"
+  fi
+  mkdir -p "${pkgoutput}"
+  for f in *; do
+    pkgname=${f%.*}
+    workdir=$(mktemp -d -t docker-packaging.XXXXXXXXXX)
+    mkdir -p "$workdir/${pkgname}"
+    (
+      set -x
+      cp ${f} /src/LICENSE /src/README.md "$workdir/${pkgname}/"
+    )
+    if [ "$(xx-info os)" = "windows" ]; then
+      (
+        set -x
+        cd "$workdir"
+        zip -r "${pkgoutput}/${pkgname}_${CREDENTIAL_HELPERS_VERSION#v}.zip" ${pkgname}
+      )
+    else
+      (
+        set -x
+        tar -czf "${pkgoutput}/${pkgname}_${CREDENTIAL_HELPERS_VERSION#v}.tgz" -C "$workdir" ${pkgname}
+      )
+    fi
+  done
+EOT
+
+FROM builder-${PKG_TYPE} AS build-pkg
+
+FROM scratch AS pkg
+COPY --from=build-pkg /out /
diff --git a/pkg/credential-helpers/Makefile b/pkg/credential-helpers/Makefile
new file mode 100644
index 00000000..d577d951
--- /dev/null
+++ b/pkg/credential-helpers/Makefile
@@ -0,0 +1,61 @@
+# Copyright 2022 Docker Packaging authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+include ../../vars.mk
+include ../../packages.mk
+
+DESTDIR ?= $(BASEDIR)/bin
+BAKE_DEFINITIONS ?= -f docker-bake.hcl -f ../../packages.hcl
+
+$(info $$BASEDIR = $(BASEDIR))
+$(info $$CREDENTIAL_HELPERS_REPO = $(CREDENTIAL_HELPERS_REPO))
+$(info $$CREDENTIAL_HELPERS_VERSION = $(CREDENTIAL_HELPERS_VERSION))
+
+.PHONY: all
+all: pkg
+
+.PHONY: pkg
+pkg: pkg-deb pkg-rpm pkg-static
+
+.PHONY: pkg-%
+pkg-%: pkg-%-releases pkg-releases
+	$(MAKE) $(foreach release,$(PKG_RELEASES),build-$(release))
+
+.PHONY: pkg-static
+pkg-static:
+	$(MAKE) build-static
+
+.PHONY: pkg-cross
+pkg-cross: pkg-cross-deb pkg-cross-rpm pkg-cross-static
+
+.PHONY: pkg-%
+pkg-cross-%: pkg-%-releases pkg-releases
+	$(MAKE) $(foreach release,$(PKG_RELEASES),build-cross-$(release))
+
+.PHONY: pkg-cross-static
+pkg-cross-static:
+	$(MAKE) build-cross-static
+
+.PHONY: build-%
+build-%: pkg-info-% pkg-info
+	PKG_RELEASE=$* DESTDIR=$(DESTDIR) docker buildx bake $(BAKE_DEFINITIONS) pkg
+
+.PHONY: build-cross-%
+build-cross-%: pkg-info-% pkg-info
+	$(eval $@_TMP_OUT := $(shell mktemp -d -t docker-packaging.XXXXXXXXXX))
+	PKG_RELEASE=$* DESTDIR=$($@_TMP_OUT) docker buildx bake $(BAKE_DEFINITIONS) pkg-cross
+	mkdir -p $(DESTDIR)
+	find $($@_TMP_OUT) -mindepth 2 -maxdepth 2 -type d -exec cp -rf {} $(DESTDIR)/ ';'
+	find $(DESTDIR) -type d -empty -delete
+	rm -rf "$($@_TMP_OUT)"
diff --git a/pkg/credential-helpers/deb/compat b/pkg/credential-helpers/deb/compat
new file mode 100644
index 00000000..f599e28b
--- /dev/null
+++ b/pkg/credential-helpers/deb/compat
@@ -0,0 +1 @@
+10
diff --git a/pkg/credential-helpers/deb/control b/pkg/credential-helpers/deb/control
new file mode 100644
index 00000000..d8290cd5
--- /dev/null
+++ b/pkg/credential-helpers/deb/control
@@ -0,0 +1,30 @@
+Source: docker-credential-helpers
+Section: admin
+Priority: optional
+Maintainer: Docker <support@docker.com>
+Homepage: https://www.docker.com
+Vcs-Browser: https://github.com/docker/docker-credential-helpers
+Vcs-Git: git://github.com/docker/docker-credential-helpers.git
+Standards-Version: 3.9.6
+Build-Depends: debhelper,
+               dh-make,
+               gcc,
+               git,
+               libc-dev,
+               libsecret-1-dev,
+               make,
+               pkg-config
+
+Package: docker-credential-secretservice
+Architecture: linux-any
+Depends: libsecret-1-0,
+         ${misc:Depends}
+Description: docker-credential-secretservice is a credential helper backend
+ which uses libsecret to keep Docker credentials safe.
+
+Package: docker-credential-pass
+Architecture: linux-any
+Depends: pass,
+         ${misc:Depends}
+Description: docker-credential-secretservice is a credential helper backend
+ which uses the pass utility to keep Docker credentials safe.
diff --git a/pkg/credential-helpers/deb/docs b/pkg/credential-helpers/deb/docs
new file mode 100644
index 00000000..565bc225
--- /dev/null
+++ b/pkg/credential-helpers/deb/docs
@@ -0,0 +1 @@
+docker-credential-helpers/README.md
diff --git a/pkg/credential-helpers/deb/rules b/pkg/credential-helpers/deb/rules
new file mode 100644
index 00000000..d51eaad8
--- /dev/null
+++ b/pkg/credential-helpers/deb/rules
@@ -0,0 +1,22 @@
+#!/usr/bin/make -f
+
+# force packages to be built with xz compression, as Ubuntu 21.10 and up use
+# zstd compression, which is non-standard, and breaks 'dpkg-sig --verify'
+override_dh_builddeb:
+	dh_builddeb -- -Zxz
+
+override_dh_auto_build:
+	cd docker-credential-helpers && CGO_ENABLED=1 make build-secretservice build-pass DESTDIR=bin
+
+override_dh_auto_install:
+	install -D docker-credential-helpers/bin/docker-credential-secretservice debian/docker-credential-secretservice/usr/bin/docker-credential-secretservice
+	install -D docker-credential-helpers/bin/docker-credential-pass debian/docker-credential-pass/usr/bin/docker-credential-pass
+
+override_dh_auto_test:
+	ver="$$(docker-credential-helpers/bin/docker-credential-secretservice version)"; \
+		test "$$ver" = "docker-credential-secretservice (github.com/docker/docker-credential-helpers) $(CREDENTIAL_HELPERS_VERSION)" && echo "PASS: docker-credential-secretservice version OK" || (echo "FAIL: docker-credential-secretservice version ($$ver) did not match" && exit 1)
+	ver="$$(docker-credential-helpers/bin/docker-credential-pass version)"; \
+		test "$$ver" = "docker-credential-pass (github.com/docker/docker-credential-helpers) $(CREDENTIAL_HELPERS_VERSION)" && echo "PASS: docker-credential-pass version OK" || (echo "FAIL: docker-credential-pass version ($$ver) did not match" && exit 1)
+
+%:
+	dh $@
diff --git a/pkg/credential-helpers/deb/source/format b/pkg/credential-helpers/deb/source/format
new file mode 100644
index 00000000..d3827e75
--- /dev/null
+++ b/pkg/credential-helpers/deb/source/format
@@ -0,0 +1 @@
+1.0
diff --git a/pkg/credential-helpers/docker-bake.hcl b/pkg/credential-helpers/docker-bake.hcl
new file mode 100644
index 00000000..0477e353
--- /dev/null
+++ b/pkg/credential-helpers/docker-bake.hcl
@@ -0,0 +1,156 @@
+// Copyright 2022 Docker Packaging authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+# Sets the credential helpers repo. Will be used to clone the repo at
+# CREDENTIAL_HELPERS_VERSION ref to include the README.md and LICENSE for the
+# static packages and also create version string.
+variable "CREDENTIAL_HELPERS_REPO" {
+  default = "https://github.com/docker/docker-credential-helpers.git"
+}
+
+# Sets the credential helpers version to build from source.
+variable "CREDENTIAL_HELPERS_VERSION" {
+  default = "v0.7.0-beta.1"
+}
+
+# Sets Go image, version and variant to use for building
+variable "GO_IMAGE" {
+  default = ""
+}
+variable "GO_VERSION" {
+  default = ""
+}
+variable "GO_IMAGE_VARIANT" {
+  default = ""
+}
+
+# Sets the pkg name.
+variable "PKG_NAME" {
+  default = "docker-credential-helpers"
+}
+
+# Sets the list of package types to build: apk, deb, rpm or static
+variable "PKG_TYPE" {
+  default = "static"
+}
+
+# Sets release flavor. See packages.hcl and packages.mk for more details.
+variable "PKG_RELEASE" {
+  default = "static"
+}
+target "_pkg-static" {
+  args = {
+    PKG_RELEASE = ""
+    PKG_TYPE = "static"
+  }
+}
+
+# Sets the vendor/maintainer name (only for linux packages)
+variable "PKG_VENDOR" {
+  default = "Docker"
+}
+
+# Sets the name of the company that produced the package (only for linux packages)
+variable "PKG_PACKAGER" {
+  default = "Docker <support@docker.com>"
+}
+
+# Include an extra `.0` in the version, in case we ever would have to re-build
+# an already published release with a packaging-only change.
+variable "PKG_DEB_REVISION" {
+  default = "0"
+}
+
+# rpm "Release:" field ($rpmRelease) is used to set the "_release" macro, which
+# is an incremental number for builds of the same release (Version: / #rpmVersion)
+# - Version: 0   : Package was built, but no matching upstream release (e.g., can be used for "nightly" builds)
+# - Version: 1   : Package was built for an upstream (pre)release version
+# - Version: > 1 : Only to be used for packaging-only changes (new package built for a version for which a package was already built/released)
+variable "PKG_RPM_RELEASE" {
+  default = "1"
+}
+
+# Defines the output folder
+variable "DESTDIR" {
+  default = ""
+}
+function "bindir" {
+  params = [defaultdir]
+  result = DESTDIR != "" ? DESTDIR : "./bin/${defaultdir}"
+}
+
+group "default" {
+  targets = ["pkg"]
+}
+
+target "_common" {
+  inherits = ["_pkg-${PKG_RELEASE}"]
+  args = {
+    CREDENTIAL_HELPERS_REPO = CREDENTIAL_HELPERS_REPO
+    CREDENTIAL_HELPERS_VERSION = CREDENTIAL_HELPERS_VERSION
+    GO_IMAGE = GO_IMAGE
+    GO_VERSION = GO_VERSION
+    GO_IMAGE_VARIANT = GO_IMAGE_VARIANT
+    PKG_NAME = PKG_NAME
+    PKG_VENDOR = PKG_VENDOR
+    PKG_PACKAGER = PKG_PACKAGER
+    PKG_DEB_REVISION = PKG_DEB_REVISION
+    PKG_RPM_RELEASE = PKG_RPM_RELEASE
+  }
+}
+
+target "_platforms" {
+  platforms = [
+    "darwin/amd64",
+    "darwin/arm64",
+    "linux/amd64",
+    "linux/arm/v6",
+    "linux/arm/v7",
+    "linux/arm64",
+    "linux/ppc64le",
+    "linux/s390x",
+    "windows/amd64"
+  ]
+}
+
+# $ PKG_RELEASE=debian11 docker buildx bake pkg
+# $ docker buildx bake --set *.platform=linux/amd64 --set *.output=./bin pkg
+target "pkg" {
+  inherits = ["_common"]
+  target = "pkg"
+  output = [bindir(PKG_RELEASE)]
+}
+
+# Same as pkg but for all supported platforms
+target "pkg-cross" {
+  inherits = ["pkg", "_platforms"]
+}
+
+# Special target: https://github.com/docker/metadata-action#bake-definition
+target "meta-helper" {
+  tags = ["dockereng/packaging:credential-helpers-local"]
+}
+
+# Create release image by using ./bin folder as named context. Therefore
+# pkg-cross target must be run before using this target:
+# $ PKG_RELEASE=debian11 docker buildx bake pkg-cross
+# $ docker buildx bake release --push --set *.tags=docker/packaging:credential-helpers-v0.7.0-beta.1
+target "release" {
+  inherits = ["meta-helper", "_platforms"]
+  dockerfile = "../../release.Dockerfile"
+  target = "release"
+  contexts = {
+    bin-folder = "./bin"
+  }
+}
diff --git a/pkg/credential-helpers/rpm/docker-credential-pass.spec b/pkg/credential-helpers/rpm/docker-credential-pass.spec
new file mode 100644
index 00000000..d03a4f80
--- /dev/null
+++ b/pkg/credential-helpers/rpm/docker-credential-pass.spec
@@ -0,0 +1,53 @@
+%global debug_package %{nil}
+
+Name: docker-credential-pass
+Version: %{_version}
+Release: %{_release}%{?dist}
+Epoch: 0
+Source0: docker-credential-helpers.tgz
+Summary: Credential helper backend which uses the pass utility to keep Docker credentials safe
+Group: Tools/Docker
+License: ASL 2.0
+URL: https://github.com/docker/docker-credential-helpers
+Vendor: Docker
+Packager: Docker <support@docker.com>
+
+Requires: pass
+
+BuildRequires: gcc
+BuildRequires: git
+BuildRequires: make
+BuildRequires: pkgconfig
+
+%description
+docker-credential-pass is a credential helper backend which uses the pass utility to keep Docker credentials safe.
+
+%prep
+%setup -q -c -n src -a 0
+
+%build
+pushd ${RPM_BUILD_DIR}/src/docker-credential-helpers
+CGO_ENABLED=1 make build-pass VERSION=v%{_origversion} REVISION=%{_commit} DESTDIR=bin
+popd
+
+%check
+pushd ${RPM_BUILD_DIR}/src/docker-credential-helpers
+ver="$(bin/docker-credential-pass version)"; \
+	test "$ver" = "docker-credential-pass (github.com/docker/docker-credential-helpers) v%{_origversion}" && echo "PASS: docker-credential-pass version OK" || (echo "FAIL: docker-credential-pass version ($ver) did not match" && exit 1)
+popd
+
+%install
+pushd ${RPM_BUILD_DIR}/src/docker-credential-helpers
+install -D -p -m 0755 bin/docker-credential-pass ${RPM_BUILD_ROOT}%{_bindir}/docker-credential-pass
+popd
+
+%files
+%{_bindir}/docker-credential-pass
+
+%post
+
+%preun
+
+%postun
+
+%changelog
diff --git a/pkg/credential-helpers/rpm/docker-credential-secretservice.spec b/pkg/credential-helpers/rpm/docker-credential-secretservice.spec
new file mode 100644
index 00000000..f908f012
--- /dev/null
+++ b/pkg/credential-helpers/rpm/docker-credential-secretservice.spec
@@ -0,0 +1,54 @@
+%global debug_package %{nil}
+
+Name: docker-credential-secretservice
+Version: %{_version}
+Release: %{_release}%{?dist}
+Epoch: 0
+Source0: docker-credential-helpers.tgz
+Summary: Credential helper backend which uses libsecret to keep Docker credentials safe
+Group: Tools/Docker
+License: ASL 2.0
+URL: https://github.com/docker/docker-credential-helpers
+Vendor: Docker
+Packager: Docker <support@docker.com>
+
+Requires: libsecret
+
+BuildRequires: gcc
+BuildRequires: git
+BuildRequires: libsecret-devel
+BuildRequires: make
+BuildRequires: pkgconfig
+
+%description
+docker-credential-secretservice is a credential helper backend which uses libsecret to keep Docker credentials safe.
+
+%prep
+%setup -q -c -n src -a 0
+
+%build
+pushd ${RPM_BUILD_DIR}/src/docker-credential-helpers
+CGO_ENABLED=1 make build-secretservice VERSION=v%{_origversion} REVISION=%{_commit} DESTDIR=bin
+popd
+
+%check
+pushd ${RPM_BUILD_DIR}/src/docker-credential-helpers
+ver="$(bin/docker-credential-secretservice version)"; \
+	test "$ver" = "docker-credential-secretservice (github.com/docker/docker-credential-helpers) v%{_origversion}" && echo "PASS: docker-credential-secretservice version OK" || (echo "FAIL: docker-credential-secretservice version ($ver) did not match" && exit 1)
+popd
+
+%install
+pushd ${RPM_BUILD_DIR}/src/docker-credential-helpers
+install -D -p -m 0755 bin/docker-credential-secretservice ${RPM_BUILD_ROOT}%{_bindir}/docker-credential-secretservice
+popd
+
+%files
+%{_bindir}/docker-credential-secretservice
+
+%post
+
+%preun
+
+%postun
+
+%changelog
diff --git a/vars.mk b/vars.mk
index bfcd0192..5114fb07 100644
--- a/vars.mk
+++ b/vars.mk
@@ -13,14 +13,20 @@
 # limitations under the License.
 
 export BASEDIR ?= $(CURDIR)
+export GO_IMAGE ?= golang
+export GO_VERSION ?= 1.18.5
+export GO_IMAGE_VARIANT ?= buster
+
 export PKG_VENDOR ?= Docker
 export PKG_PACKAGER ?= Docker <support@docker.com>
 
 export BUILDX_REPO ?= https://github.com/docker/buildx.git
 export COMPOSE_REPO ?= https://github.com/docker/compose.git
+export CREDENTIAL_HELPERS_REPO ?= https://github.com/docker/docker-credential-helpers.git
 
 export BUILDX_VERSION ?= v0.9.1
 export COMPOSE_VERSION ?= v2.10.2
+export CREDENTIAL_HELPERS_VERSION ?= v0.7.0-beta.1
 
 .PHONY: buildx-version
 buildx-version:
@@ -29,3 +35,7 @@ buildx-version:
 .PHONY: compose-version
 compose-version:
 	@echo $(COMPOSE_VERSION)
+
+.PHONY: credential-helpers-version
+credential-helpers-version:
+	@echo $(CREDENTIAL_HELPERS_VERSION)