11

Our Git server is being changed to require a certificate/private key when accessed by Git clients.

Our Windows users are instructed to import the certificate locally and then configure Git to use the schannel backed for SSL as in

git config --global http.sslBackend schannel

This will obviously not work for macOS users. Is there a way to do something similar with the Git client on macOS?

I found that I can point to the certificate and private key in my Git config, if a) they are in separate files, and b) are in .pem format, like this:

git config --global http.sslCert /Users/.../cert.pem
git config --global http.sslKey /Users/.../key.pem
git config --global http.sslCertPasswordProtected true

After doing this, whenever I try to push/pull, the Git client asks about the password for the private key, like this:

$ git pull
Password for 'cert:////Users/.../cert.pem': *********
Already up to date.

Is there a way to tell the Git client (or the underlying curl client) to use the macOS Keychain for retrieving the certificate, the key and the also the key's passphrase?

I know that newer versions of curl support the -E/--cert parameter to use the keychain, but I'm not sure whether that is available via the Git client.

nwinkler
  • 52,665
  • 21
  • 154
  • 168

2 Answers2

3

I managed to find a way to do this for macOS, using the versions of Git and cURL provided by Homebrew:

  • If you have not done this yet, install Homebrew for macOS.

  • Install cURL and Git using Homebrew:

    brew install curl
brew install --with-curl git

    The --with-curl option is important, since it will force Git to use the Homebrew version of cURL, which includes the required support for the macOS Keychain - through cURL's -E/--cert parameter.

    The Homebrew version of cURL supports looking up the certificate in the user's keychain, using the name/alias provided by the -E/--cert parameter, while the stock macOS version of cURL does not.

    It is necessary to install Git with support for the Homebrew version of cURL, since it will simply use the one from macOS if not told otherwise.

    If you already have Git installed through Homebrew, you have to reinstall it with the --with-curl option:

    brew reinstall --with-curl git

Update With a recent change in the Homebrew Git formula, the --with-curl option was removed. If you still want to use this, you can do the following to install that specific version of Git - this is before the options were removed. To install this specific version of the Git formula, use the following approach (based on these instructions) - you might have to remove your existing Git installation first, though:

# Install curl
brew install curl

# Install the last version of the Git formula that still has the --with-curl option
brew install --with-curl https://raw.githubusercontent.com/Homebrew/homebrew-core/a86ae8fc2b24001b3c6460a46dbfc6e323d2a4d1/Formula/git.rb

# Pin Git in Homebrew so that it does not get updated automatically
brew pin git

  • Import the certificate into your user's login keychain (double-click on the certificate file, e.g. if it's in .pfx format). Check in your user's login keychain for the presence of the certificate (and the private key - they might be in different entries) and note the name of the certificate. We'll assume it's called git.example.com.

  • Configure Git to refer to the certificate entry in your keychain. Don't point it to a local file, but provide the name of the certificate as stored in your keychain. The Homebrew version of cURL has support for this: 

    git config --global http.sslCert git.example.com

    If you only want to use the certificate for a specific server, you can use the following syntax to limit the setting to that specific URL:

    git config --global http."https://git.example.com".sslCert git.example.com

Once you have done the above steps, whenever you run a Git command with the git.example.com server, Git/cURL should try to get the certificate from your Keychain.

For the first access, it might show a window asking you to unlock your login keychain. Provide the password for that keychain and make sure to click the Always Allow button. After that, further Git commands should not require you to provide the passphrase or the keychain password again.

Git credential dialog

You can also edit the .gitconfig file directly, e.g. by adding the following for using the certificate for a specific URL:

[http "https://git.example.com"]                                                                                                                                   
    sslCert = git.example.com
nwinkler
  • 52,665
  • 21
  • 154
  • 168
  • Unfortunately this doesn't work anymore, because the `--with-curl` option was removed recently, see https://github.com/Homebrew/homebrew-core/commit/6547b04b94e96d1f8400ea38db5a6efff4d7f645#diff-3e84bae646d908b93e043833873d316d – Bastien Jansen Jan 30 '19 at 10:26
  • anybody knows how to do this with high sierra and mojave. all suggested commands with --with-curl or --with-brewed-curl --with-brewed-openssl are not working. Unknown commands – black sensei Feb 28 '19 at 19:57
  • I've added a comment that outlines how to install an older version of the Git formula that still includes the options. This will install Git v2.20.1. – nwinkler Apr 03 '19 at 08:54
  • I had to download the file https://raw.githubusercontent.com/Homebrew/homebrew-core/a86ae8fc2b24001b3c6460a46dbfc6e323d2a4d1/Formula/git.rb first and then using the command `brew install --with-curl ./git.rb` to install. – Dali Nov 06 '20 at 08:38
0

What you could also try is to separate the p12 file into it's key and cert components using:

openssl pkcs12 -in /Users/bob/Documents/Certificate-2311d3.p12 -out /Users/bob/Documents/2311d3.key.pem -nocerts -nodes
openssl pkcs12 -in /Users/bob/Documents/Certificate-2311d3.p12 -out /Users/bob/Documents/2311d3.crt.pem -clcerts -nokeys

If you run these commands, you will be prompted to enter your password (twice - once for each command). Now the key and cert are no longer password protected.

Note: The generated key and cert files should not leave your local (hopefully encrypted) filesystem. They are now kind of 'unprotected' and anyone who gains access to them can access your remote server - same as regular ssh keys. The p12 file format was designed as a portable container, you can send this all over the internet as long as it is password protected, but once you have it where you need it, extracting it into unprotected components is, in my opinion, totally fine.

You can then clone your remote repo using similar commands to what you have already tried, like so:

git init
git remote add origin https://my.webserver.com/something/repo.git
git config http.sslCert /Users/bob/Documents/2311d3.crt.pem
git config http.sslKey /Users/bob/Documents/2311d3.key.pem
git fetch

You won't then be asked for the password each time you interact with the remote repo, nor will git have to interact with the osx keychain.

There are many other http settings that might be applicable to your specific situation, I really recommend reading through the official git config http documentation, it really helped me out (as did your post!).

shredder
  • 1,438
  • 13
  • 12