What is the correct way to use git with gnome-keyring and http(s) repos?

Question

Currently, whenever I git pull or git push to a http(s) repository, I get the following:

$ git pull
Username for 'https://gitrepos.reposdomain.com': [email protected]
Password for 'https://[email protected]@gitrepos.reposdomain.com':

This is ok for infrequent use, but starts to become really annoying very quickly. Unfortunately, switching to ssh is not an option in this case.

I've read that earlier versions of git provided a credential "store" and "cache", but that this wasn't advised because it stored the password in plaintext.

BUT

Newer versions of git apparently store git credentials in the gnome-keyring, but it has to be set up correctly.

I've tried following other (non-Ubuntu) answers on SO to get this to work (namely this one), but I'm still presented with the username and password prompt.

What is the correct and safest way to store git credentials for http(s) repos and how does one make them work on Ubuntu?

You should mention which methods you did try. Otherwise you might find answers suggesting exactly those. — muru, May 17 '16 at 00:23
An **entire** sentence bolded *and* italicised is hardly readable. — muru, May 17 '16 at 00:27
Upstream Debian issue to package git-credential-libsecret https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878599 — Colonel Panic, May 28 '23 at 07:02

score 110 · Accepted Answer · edited May 28 '23 at 10:28

110

git-credential-gnome-keyring is now deprecated.

Instead, use libsecret. If it's not already pre-installed on your machine, use the following procedure:

Make sure libsecret and its development libraries are installed:
```
sudo apt install libsecret-1-0 libsecret-1-dev
```
Then build the credential helper from the sources shipped with libsecret's development libraries:
```
sudo make --directory=/usr/share/doc/git/contrib/credential/libsecret
```

Finally, register the freshly compiled binary as a Git credential helper:

git config --global credential.helper \
   /usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret

More details on https://stackoverflow.com/a/40312117/2017781

edited May 28 '23 at 10:28

Colonel Panic

59
7

answered Sep 26 '17 at 16:31

eddygeek

1,579
1
12
16

2

You might want to note that this solution only applies to git versions >= 2.11 (where the libsecret dir may then be found) – Charles Roberto Canato Oct 02 '17 at 23:04
2

Is this safe? Where are the secrets stored? Is both the transmission and the storage safe? Is there any official documentation? Apparently, as per [this page](https://launchpad.net/ubuntu/+source/libsecret) and [this page](https://developer.gnome.org/libsecret/), it’s in “Main” and maintained by Debian/Ubuntu. And: “It communicates with the 'Secret Service' using DBus.” – caw Jan 23 '18 at 06:14
1

@caw: In GNOME, "Secret Service" is the same gnome-keyring-daemon, just through a different API. (The libsecret plan was to allow other DEs to build their own backends supporting the same API, e.g. KDE planned to implement this in kwalletd.) – user1686 Feb 24 '18 at 15:15
5

Updating my preferred answer as I can verify this works on 18.04. :) – tudor -Reinstate Monica- May 09 '18 at 01:02
3

This appears to still be Plan A in Feb 2020. Worked on Ubuntu 19.10. – ericP Feb 04 '20 at 17:50
1

The instructions didn't work for me (not Ubuntu) but installing `gnome-keyring` (not the depricated `libgnome-keyring`) and `libsecrets` then following [Arch's wiki](https://wiki.archlinux.org/index.php/GNOME/Keyring#Git_integration) worked. – Apr 01 '20 at 15:43
1

FWIW, this worked for me a fresh install of Ubuntu 20.04, but only after I rebooted (perhaps something related to installing the libsecret library?). Before reboot, git clone or anythign else that wanted to store credentials would simply hang in libsecret store op. – BeeOnRope Dec 02 '20 at 05:46
Is this still safe working from a shared filesystem? I would like to set this up on my university computer, but I'm concerned that /usr/share/doc/git/contrib/credential/libsecret/ is available to everyone on the network, so that other users will then be able to access my personal remote repositories – Aerinmund Fagelson Apr 26 '21 at 11:29
1

@AerinmundFagelson this is path where the compiled binary of the password manager (libsecret) is stored ; libsecret certainly does not persist the passwords in clear text on disk! – eddygeek Apr 27 '21 at 06:32
Thanks for clearing that up @eddygeek ! – Aerinmund Fagelson Apr 27 '21 at 14:57
WORKS! Just tested on Ubuntu 20, git 2.25.1 and Unity 7.5. Didn't have to restart or anything... Quite a fresh install I should add. :) – Pandian Le May 02 '21 at 19:38
@eddygeek how do we extend this to many other passwords? – Pandian Le May 04 '21 at 17:39
[Here](https://stackoverflow.com/a/67360592/5986651) is an answer to work with many accounts and passwords. :) The above only works for one account. – Pandian Le May 05 '21 at 19:05
@PandianLe the main difference of *Git-Credential-Manager core* is **multi-factor** authentication. As pointed out [here](https://stackoverflow.com/a/67406012/2017781) putting the user in the remote url is enough for **multi-account**. (This technique should work with any credential helper) – eddygeek May 06 '21 at 16:13
Hi @eddygeek, [that](https://stackoverflow.com/a/67406012/2017781) was my question and VonC answered it. Vonc suggested I use a GCM. The solution is after I used gcm and updated git and added the user in the remote url. I am really unsure if it would work without this. Have you tested it? – Pandian Le May 06 '21 at 18:18
VonC says it too "Any credential helper should follow the same process." -"Since gcm core is a bit fineky to install, test it first with the classic libsecret-based helper.". But no, I haven't personally tested it. – eddygeek May 07 '21 at 13:46
1

Arrggghhhh sudo make. Do NOT try this at home. – Paul Childs Mar 11 '22 at 03:35

score 46 · Answer 2 · 2016-05-24T07:24:10.500

46

You need to setup the git credential helper with Gnome Keyring:

Install and compile the Gnome Keyring devel:

sudo apt-get install libgnome-keyring-dev
sudo make --directory=/usr/share/doc/git/contrib/credential/gnome-keyring

And setup the credential:

git config --global credential.helper /usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring

edited May 24 '16 at 07:24

answered May 23 '16 at 11:14

That's really weird. Semantically, there should be no difference between the answer in the link and this answer. But for some reason this answer works where the other doesn't. – tudor -Reinstate Monica- May 25 '16 at 13:03
Then run `git push` or `git pull` as normal and the first time it will ask ansd store, and every time after that it will get it from the keyring. To verify it, run `seahorse`. It should be listed under "Passwords" ->"Login". – tudor -Reinstate Monica- May 25 '16 at 13:06
@tudor That's strange, I don't see any "conceptual" difference between my answer and the link one. Glad that it helps. – May 25 '16 at 20:10
Seems weird to me that you still have to run the "make" command, but these steps work great. Thanks! – DaveTheScientist Feb 10 '17 at 20:21
Works on Ubuntu 16.04 etc., but for Ubuntu 20.04+, you may want to use `libsecret` – caw Aug 16 '21 at 21:59
Another dangerous sudo make suggestion. – Paul Childs Mar 11 '22 at 03:35

Stephan Henningsen · Answer 3 · 2018-12-06T11:13:12.293

4

This simple approach appears to be sufficient on my Ubuntu 18.04.1 with git 2.17.1:

git config --global credential.helper cache

You can specify a one hour (=3600 seconds) timeout like this:

git config --global credential.helper 'cache --timeout=3600'

What is the correct way to use git with gnome-keyring and http(s) repos?

4 Answers4

Linked

Related