Secure storage for http basic auth credentials with Git

 posted in Git, Tools

Lately I have been pushing to a couple git repository over https instead of usual git+ssh and the workflow felt a little bit tedious because by default git asks for http auth credentials before every action.

Fortunately I stumbled upon gitcredentials which allows git to use gnome-keyring among other possible storages.

Using gnome-keyring

In Fedora using git-credential helper for gnome-keyring is pretty straightforward, because the plugin comes prebuilt in Fedora RPM. All you need to do is:

git config --global credential.helper gnome-keyring

You can check what credential helpers your git version knows out-of-the-box with following shell command:

git help -a | grep credential-

OSX users may find helper for Keychain there and Windows users would probably be able to use wincred helper.

Ubuntu packages have gnome-keyring helper only as source in git documentation folder, so it has to be built first:

sudo apt-get install libgnome-keyring-dev
cd /usr/share/doc/git/contrib/credential/gnome-keyring
sudo make
git config --global credential.helper /usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring

After first successful login credentials are stored in gnome-keyring and retrieved from there in future.

Using gpg encrypted .netrc in non-Gnome system

If your are not using Gnome/Unity and don’t like to have gnome daemons running in the background, you could use encrypted .netrc file to achieve similar workflow.

  1. Place .netrc in your home directory where each line contain host, user and password definition in following format:

     machine {host name} login {user name} password {password}

    For example:

     machine github.com login johndoe password s3cret

  2. Generate gpg key if you don’t have one already:

     gpg --gen-key

  3. Encrypt ~/.netrc using gpg:

     gpg -e -r {YOUR EMAIL USED IN STEP 2} ~/.netrc

  4. Remove original unencrypted .netrc

     rm ~/.netrc

  5. Enable credential helper for netrc:

     sudo chmod +x /usr/share/doc/git/contrib/credential/netrc/git-credential-netrc
 git config credential.helper /usr/share/doc/git/contrib/credential/netrc/git-credential-netrc

    It will seek ~/.netrc.gpg by default and handle decrypting it.

Extra tip: Use gnupg.vim or epa if you prefer Emacs to ease editing .netrc.gpg.