Can I override git-credential-osxkeychain on OS X Yosemite?

Question

I am trying to use AWS CodeCommit for my repos. For those who don't know, CC requires a specific git credential helper to generate the password for HTTPS requests, as it is encrypted and time based. This works fine normally.

However, I do have one aggravating problem: git appears to automatically be caching my time-sensitive credentials in Keychain, which means that after 15 minutes or so, I will only get 403 errors from pushing or fetching.

I tried following the instructions here, but I don't have osxkeychain configured anywhere. As near as I can tell, it's hard coded into Apple git.

Here is a pair of traces from git showing the problem:

Intial fetch

MikeBook-Pro:sensei-cli mike$ GIT_TRACE=1 git fetch
13:43:19.583664 git.c:348               trace: built-in: git 'fetch'
13:43:19.584764 run-command.c:347       trace: run_command: 'git-remote-https' 'origin' 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/sensei-cli'
13:43:20.024288 run-command.c:347       trace: run_command: 'git credential-osxkeychain get'
13:43:20.025203 run-command.c:195       trace: exec: '/bin/sh' '-c' 'git credential-osxkeychain get' 'git credential-osxkeychain get'
13:43:20.029429 git.c:557               trace: exec: 'git-credential-osxkeychain' 'get'

# This last command returns nothing, as nothing is in Keychain.
13:43:20.029928 run-command.c:347       trace: run_command: 'git-credential-osxkeychain' 'get'
13:43:21.016738 run-command.c:347       trace: run_command: 'aws --profile default codecommit credential-helper $@ get'

# This returns the correct generated credentials
13:43:21.018020 run-command.c:195       trace: exec: '/bin/sh' '-c' 'aws --profile default codecommit credential-helper $@ get' 'aws --profile default codecommit credential-helper $@ get'
13:43:21.985711 run-command.c:347       trace: run_command: 'git credential-osxkeychain store'

# This stores the credentials in Keychain
13:43:21.986731 run-command.c:195       trace: exec: '/bin/sh' '-c' 'git credential-osxkeychain store' 'git credential-osxkeychain store'
13:43:21.991811 git.c:557               trace: exec: 'git-credential-osxkeychain' 'store'
13:43:21.992266 run-command.c:347       trace: run_command: 'git-credential-osxkeychain' 'store'13:43:22.017201 run-command.c:347       trace: run_command: 'aws --profile default codecommit credential-helper $@ store'
13:43:22.017897 run-command.c:195       trace: exec: '/bin/sh' '-c' 'aws --profile default codecommit credential-helper $@ store' 'aws --profile default codecommit credential-helper $@ store'
13:43:22.302123 run-command.c:347       trace: run_command: 'rev-list' '--objects' '--stdin' '--not' '--all' '--quiet'
...

Subsequent fetch

MikeBook-Pro:sensei-cli mike$ GIT_TRACE=1 git fetch
13:53:51.224971 git.c:348               trace: built-in: git 'fetch'
13:53:51.231140 run-command.c:347       trace: run_command: 'git-remote-https' 'origin' 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/sensei-cli'
13:53:53.855917 run-command.c:347       trace: run_command: 'git credential-osxkeychain get'
13:53:53.859291 run-command.c:195       trace: exec: '/bin/sh' '-c' 'git credential-osxkeychain get' 'git credential-osxkeychain get'
13:53:53.876895 git.c:557               trace: exec: 'git-credential-osxkeychain' 'get'

# This DOES return credentials, so it doesn't try any helpers
13:53:53.877419 run-command.c:347       trace: run_command: 'git-credential-osxkeychain' 'get'
fatal: unable to access 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/sensei-cli/': The requested URL returned error: 403

git --version and git config -l output

MikeBook-Pro:sensei-cli mike$ git --version
git version 2.4.9 (Apple Git-60)

MikeBook-Pro:sensei-cli mike$ git config -l
user.name=Mike Caron
user.email=myemail@domain.com
credential.helper=!aws --profile default codecommit credential-helper $@
credential.usehttppath=true
core.repositoryformatversion=0
core.filemode=true
core.bare=false
core.logallrefupdates=true
core.ignorecase=true
core.precomposeunicode=true
remote.origin.url=https://git-codecommit.us-east-1.amazonaws.com/v1/repos/sensei-cli
remote.origin.fetch=+refs/heads/*:refs/remotes/origin/*
branch.master.remote=origin
branch.master.merge=refs/heads/master

Answer 1

I've just hacked it by using:

git config --global credential.helper '!security delete-internet-password -l "git-codecommit.us-east-1.amazonaws.com"; aws codecommit credential-helper $@'

Hope it helps,

Answer 2

Yes, it is hardcoded to use osxkeychain in their implementation of Apple-Git. The source code references radar bug 12266645.

I trust that many subsequent radar bugs have resulted from this terribly misguided decision. I recommend you open one, too!

Answer 3

I'm having the same issue, and the only fix I've found is to keep deleting the keychain password entry like this in Terminal:

security delete-internet-password -l "git-codecommit.us-east-1.amazonaws.com"

I added that to a cron job running every five minutes.

Definitely not the most elegant solution, but helps me to connect. Hope this helps somehow.

Answer 4

This is similar to Pablo's answer, but I use the git credential-osxkeychain erase utility, which takes input from stdin so it's kind of long. So the credential helper line in .gitconfig ends up as follows:

[credential]
    helper = !printf 'host=%s\nprotocol=https\n\n' 'git-codecommit.us-east-2.amazonaws.com' | git credential-osxkeychain erase && aws codecommit credential-helper $@

The basic idea is that it erases the key in the keychain as soon as it is created.