11

I've been recently looking for a solution on how to securely save git credentials in CentOS 7.

I want to save credentials for multiple git repositories.

The solution that I come up with is to use gnome-keyring with any version of git. but I was experiencing some issues with it. and I found many posts saying it's not a good a solution in Redhat 7 or Centos 7. and It will be deprecated.

git config --global credential.helper /usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyrin

But this didn't work for me, an error when using git :

error communicating with gnome-keyring-daemon

then I upgraded git the last version 2.11+ to use libsecret which seems to be more easy to use.

I have done the same thing. 

git config --global credential.helper /usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret

And this seems to work as expected. my Question is this is a good solution to securely save git credentials ? Do you know any other solution to save git credentials on a CentOS machine?

Stranger B.
  • 9,004
  • 21
  • 71
  • 108
  • I have follow this steps. After I fill the credential in .git-credential file, I opened it and it wasn't encrypted. – M.Abulsoud Oct 23 '18 at 06:19
  • In git 2.20.1 libsecret comes with gnome, and I can just do: `git config --global credential.helper libsecret` It does not create any .git-credential file--ensure that credential-store is not enabled to avoid storing credentials in plain text, and delete the file with shred. – Poikilos Apr 19 '19 at 21:55

1 Answers1

8

is this is a good solution to securely save git credentials ?

Yes, as I documented in "Error when using Git credential helper with gnome-keyring as Sudo".
libsecret implements XDG Secret Service API.

It is the current official library to use.

Update Git 2.15.x/2.16 (Q1 2018), where the credential helper for libsecret (in contrib/) has been improved to allow possibly prompting the end user to unlock secrets that are currently locked (otherwise the secrets may not be loaded).

See commit 9c109e9 (03 Nov 2017) by Dennis Kaarsemaker (seveas).
(Merged by Junio C Hamano -- gitster -- in commit 906329f, 09 Nov 2017)

credential-libsecret: unlock locked secrets

Credentials exposed by the secret service DBUS interface may be locked.
Setting the SECRET_SEARCH_UNLOCK flag will make the secret service unlock these secrets, possibly prompting the user for credentials to do so.
Without this flag, the secret is simply not loaded.

Reminder: libgnome-keyring is specific to GNOME and is:

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Have you tried this in a server like redhat 7 or centos 7 ? actually I'm getting an error. `** (process:11877): CRITICAL **: could not connect to Secret Service: Error spawning command line 'dbus-launch --autolaunch=147f3c2e379941d69295f33356ab3a6b --binary-syntax --close-stderr': Child process exited with code 1` – Stranger B. Feb 17 '17 at 14:35
  • @user2841703 with which Git version? The credential helper calls https://people.gnome.org/~gcampagna/docs/Secret-1/Secret.Service.get_sync.html – VonC Feb 17 '17 at 14:38
  • @user2841703 and is the package libsecret installed on your CentOS 7 or redHat 7? (http://rpm.pbone.net/index.php3/stat/3/limit/2/srodzaj/1/dl/40/search/libsecret-1.so.0%28%29%2864bit%29/field[]/1/field[]/2) – VonC Feb 17 '17 at 14:43
  • the last git version 2.11 and git-credential-libsecret – Stranger B. Feb 17 '17 at 14:49
  • @user2841703 git-credential-libsecret is the utility which calls then gnome libsecret tool. Is libsecret properly installed? – VonC Feb 17 '17 at 14:54
  • yes libsecret and libsecret-devel are properly installed. and I had to install dbus-x11-1.6.12-11.el7.x86_64 too. I think the problem comes from dbus – Stranger B. Feb 17 '17 at 15:12
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/135977/discussion-between-user2841703-and-vonc). – Stranger B. Feb 17 '17 at 15:14
  • I have follow this steps. After I fill the credential in .git-credential file, I opened it and it wasn't encrypted. – M.Abulsoud Oct 23 '18 at 06:20
  • @M.Abulsoud I don't think those steps involves putting your credentials in `.git-credential`. As I was saying, a new question is best. – VonC Oct 23 '18 at 06:47
  • @vonc I open Passwords and Keys app, I found the credentials there. It seems it works. – M.Abulsoud Oct 23 '18 at 10:48
  • I'm using ubuntu, I entered the path to libsecret in my .gitconfig, but libsecret isn't storing the credentials. everytime I make a commit, I have to entered again and again my credentials. Do I have to set up this flag: *SECRET_SEARCH_UNLOCK*? if so, how? – asa Apr 11 '21 at 11:21
  • @AfonsoSchulzAlbrecht path to libsecret? That should not be needed. A simple `git config credential.helper libsecret` is enough. Then you can check what is stored in it following https://stackoverflow.com/a/66650654/6309 – VonC Apr 11 '21 at 11:24
  • I run the command `git config credential.helper libsecret` successfully, then I enter my credentials in a pull request but it seems that libsecret isn't storing them because in the following pull requests, git keeps asking my credentials. (i'm using WSL2, runs ubuntu, so it shouldn't be a problem imo) – asa Apr 11 '21 at 11:40
  • 1
    @AfonsoSchulzAlbrecht On Ubuntu WSL2, I would recommend instead manager-core: https://stackoverflow.com/a/66779565/6309 (because of dbus issue: https://github.com/microsoft/WSL/issues/4254) – VonC Apr 11 '21 at 14:01