Categories
git git-config git-push github

Is there a way to cache https credentials for pushing commits?

2040

I recently switched to synchronizing my repositories to https:// on GitHub (due to firewall issues), and it asks for a password every time.

Is there a way to cache the credentials, instead of authenticating every time that git push?

3

2554

Since Git 1.7.9 (released 2012), there is a neat mechanism in Git to avoid having to type your password all the time for HTTP / HTTPS, called credential helpers.

You can just use one of the following credential helpers:

git config --global credential.helper cache

The credential.helper cache value tells Git to keep your password cached in memory for a particular amount of minutes. The default is 15 minutes, you can set a longer timeout with:

# Cache for 1 hour
git config --global credential.helper "cache --timeout=3600"

# Cache for 1 day
git config --global credential.helper "cache --timeout=86400"

# Cache for 1 week
git config --global credential.helper "cache --timeout=604800"

You can also store your credentials permanently if so desired, see the other answers below.

GitHub’s help also suggests that if you’re on Mac OS X and used Homebrew to install Git, you can use the native Mac OS X keystore with:

git config --global credential.helper osxkeychain

For Windows, there is a helper called Git Credential Manager for Windows or wincred in msysgit.

git config --global credential.helper wincred # obsolete

With Git for Windows 2.7.3+ (March 2016):

git config --global credential.helper manager

For Linux, you would use (in 2011) gnome-keyring(or other keyring implementation such as KWallet).

Nowadays (2020), that would be (on Linux)

Fedora

sudo dnf install git-credential-libsecret
git config --global credential.helper /usr/libexec/git-core/git-credential-libsecret

Ubuntu

sudo apt-get install libsecret-1-0 libsecret-1-dev
cd /usr/share/doc/git/contrib/credential/libsecret
sudo make
git config --global credential.helper /usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret

25

  • 79

    Don’t store your password in plain text. As of Git 1.7.9 you can use credential helpers. git config --global credential.helper osxkeychain on OS X. For other OS see help.github.com/articles/set-up-git

    – dazonic

    Jun 22, 2012 at 7:29


  • 6

    FWIW, the osx keychain stuff is part of base GIT source code, it’s not an exclusive component of Brew or MacPorts or whatever the flavor of the month is. And you don’t even need to build git from scratch – just cd contrib/credential/osxkeychain/ and run make.

    Apr 9, 2013 at 14:04

  • 3

    With two factor authentication you have to use what github calls a Person Access Token. In fact you should always use one, as unlike a password you can control what access it gives. Just replace the password in the url so you end up with https://username:[email protected]/username/project.git. It makes plain text passwords stored on disk almost safe enough to use.

    Apr 10, 2014 at 10:18


  • 13

    git config --global credential.helper cache doesn’t work on windows: stackoverflow.com/questions/11693074/… use gitcredentialstore on Windows an be happy

    Jan 2, 2015 at 15:35


  • 8

    Any way to set this timeout to infinity?

    – sudo

    Aug 10, 2015 at 18:25

762

You can also have Git store your credentials permanently using git-credential-store as following:

git config credential.helper store

Note: While this is convenient, Git will store your credentials in clear text in
a local file (.git-credentials) under your project directory (see below for the “home” directory). If you don’t like this, delete this file and switch to using the
cache option.

If you want Git to resume to asking you for credentials every time it needs to
connect to the remote repository, you can run this command:

git config --unset credential.helper

To store the passwords in .git-credentials in your %HOME% directory as opposed to the project directory: use the --global flag

git config --global credential.helper store

12

  • 7

    On Windows, you can download a helper utility configures things to store an encrypted version of your GIT password in the Windows Creditial Store, see confluence.atlassian.com/display/STASH/…

    – Contango

    Jan 22, 2013 at 18:39


  • 79

    I found that I had to specify –global or it would try to store the settings in the current repository: git config --global credential.helper store

    – Rag

    May 15, 2013 at 3:25

  • 6

    Why would do the cache instead of storing permanently? Sharing computers or something?

    Aug 24, 2013 at 15:42

  • 3

    @BrianGordon I’m using GIT 1.9.5 on Windows, and --global flag was redundant. Even without this flag, the credentials file was created in %USER_HOME% directory.

    – jFrenetic

    Aug 18, 2015 at 16:24

  • 2

    if not storing in plain text, what is it protected with? Your password? Wouldn’t it then have to ask you for your admin password when you connect to git? Isn’t having to enter a password to get another password a little strange?

    – Cruncher

    Mar 10, 2016 at 15:35

115

TLDR; Use an encrypted netrc file with Git 1.8.3+.

Saving a password for a Git repository HTTPS URL is possible with a ~/.netrc (Unix) or %HOME%/_netrc (note the _) on Windows.

But: That file would store your password in plain text.

Solution: Encrypt that file with GPG (GNU Privacy Guard), and make Git decrypt it each time it needs a password (for push/pull/fetch/clone operation).


Note: with Git 2.18 (Q2 2018), you now can customize the GPG used to decrypt the encrypted .netrc file.

See commit 786ef50, commit f07eeed (12 May 2018) by Luis Marsano (“).
(Merged by Junio C Hamano — gitster in commit 017b7c5, 30 May 2018)

git-credential-netrc: accept gpg option

git-credential-netrc was hardcoded to decrypt with ‘gpg‘ regardless of
the gpg.program option.
This is a problem on distributions like Debian that call modern GnuPG something else, like ‘gpg2


Step-by-Step instructions for Windows

With Windows:

(Git has a gpg.exe in its distribution, but using a full GPG installation includes a gpg-agent.exe, which will memorize your passphrase associated to your GPG key.)

  • Install gpg4Win Lite, the minimum gnupg command-line interface (take the most recent gpg4win-vanilla-2.X.Y-betaZZ.exe), and complete your PATH with the GPG installation directory:

    set PATH=%PATH%:C:\path\to\gpg
    copy C:\path\to\gpg\gpg2.exe C:\path\to\gpg\gpg.exe
    

(Note the ‘copy‘ command: Git will need a Bash script to execute the command ‘gpg‘. Since gpg4win-vanilla-2 comes with gpg2.exe, you need to duplicate it.)

  • Create or import a GPG key, and trust it:

    gpgp --import aKey
    # or
    gpg --gen-key
    

(Make sure to put a passphrase to that key.)

  • Trust that key

  • Install the credential helper script in a directory within your %PATH%:

    cd c:\a\fodler\in\your\path
    curl -o c:\prgs\bin\git-credential-netrc https://raw.githubusercontent.com/git/git/master/contrib/credential/netrc/git-credential-netrc.perl
    

(Beware: the script is renamed in Git 2.25.x/2.26, see below)

(Yes, this is a Bash script, but it will work on Windows since it will be called by Git.)

  • Make a _netrc file in clear text

    machine a_server.corp.com
    login a_login
    password a_password
    protocol https
    
    machine a_server2.corp.com
    login a_login2
    password a_password2
    protocol https
    

(Don’t forget the ‘protocol‘ part: ‘http‘ or ‘https‘ depending on the URL you will use.)

  • Encrypt that file:

    gpg -e -r a_recipient _netrc
    

(You now can delete the _netrc file, keeping only the _netrc.gpg encrypted one.)

  • Use that encrypted file:

    git config --local credential.helper "netrc -f C:/path/to/_netrc.gpg -v"
    

(Note the ‘/‘: C:\path\to... wouldn’t work at all.) (You can use at first -v -d to see what is going on.)

From now on, any Git command using an HTTP(S) URL which requires authentication will decrypt that _netrc.gpg file and use the login/password associated to the server you are contacting.
The first time, GPG will ask you for the passphrase of your GPG key, to decrypt the file.
The other times, the gpg-agent launched automatically by the first GPG call will provide that passphrase for you.

That way, you can memorize several URLs/logins/passwords in one file, and have it stored on your disk encrypted.
I find it more convenient than a “cache” helper”, where you need to remember and type (once per session) a different password for each of your remote services, for said password to be cached in memory.


With Git 2.26 (Q1 2020), the sample credential helper for using .netrc has been updated to work out of the box. See patch/discussion.

See commit 6579d93, commit 1c78c78 (20 Dec 2019) by Denton Liu (Denton-L).
(Merged by Junio C Hamano — gitster in commit 1fd27f8, 25 Dec 2019)

contrib/credential/netrc: make PERL_PATH configurable

Signed-off-by: Denton Liu

The shebang path for the Perl interpreter in git-credential-netrc was hardcoded.
However, some users may have it located at a different location and thus, would have had to manually edit the script.

Add a .perl prefix to the script to denote it as a template and ignore the generated version.
Augment the Makefile so that it generates git-credential-netrc from git-credential-netrc.perl, just like other Perl scripts.

The Makefile recipes were shamelessly stolen from contrib/mw-to-git/Makefile.

And:

With 2.26 (Q1 2020), Sample credential helper for using .netrc has been updated to work out of the box.

See commit 6579d93, commit 1c78c78 (20 Dec 2019) by Denton Liu (Denton-L).
(Merged by Junio C Hamano — gitster in commit 1fd27f8, 25 Dec 2019)

contrib/credential/netrc: work outside a repo

Signed-off-by: Denton Liu

Currently, git-credential-netrc does not work outside of a git repository. It fails with the following error:

fatal: Not a git repository: . at /usr/share/perl5/Git.pm line 214.

There is no real reason why need to be within a repository, though. Credential helpers should be able to work just fine outside the repository as well.

Call the non-self version of config() so that git-credential-netrc no longer needs to be run within a repository.

Jeff King (peff) adds:

I assume you’re using a gpg-encrypted netrc (if not, you should probably
just use credential-store).
For “read-only” password access, I find the combination of pass with config like this is a bit nicer:

[credential "https://github.com"]
  username = peff
  helper = "!f() { test $1 = get && echo password=`pass github/oauth`; }; f"

8

  • 1

    trying the same thing on linux .. git config –local credential.helper “netrc -f /home/me/.netrc.gpg -v -d” ..and i get “git : ‘credential-netrc’ is not a git command. see ‘git –help'”

    – sunny

    Dec 21, 2013 at 3:26

  • 4

    @sunny That is what the curl -o c:\prgs\bin\git-credential-netrc https://raw.github.com/git/git/master/contrib/credential/netrc/git-credential-netrc is for: you need to copy the git-credential-netrc anywhere in your path ($PATH), in order for git to be able to call ‘credential-netrc‘.

    – VonC

    Dec 22, 2013 at 0:14


  • Well, the _netrc didn’t work for me on a Windows 7 PC, but the .netrc worked for youtube-dl with the --netrc argument passed to it.

    Apr 12, 2015 at 23:02

  • @VonC the current URL seems to be https://raw.githubusercontent.com/git/git/master/contrib/credential/netrc/git-credential-netrc.perl (piping in seven years later 😉)

    Mar 25, 2020 at 22:50

  • 1

    @GwynethLlewelyn Thank you. I have edited the answer accordingly. Don’t hesitate to edit it yourself if you see any other obsolete information.

    – VonC

    Mar 26, 2020 at 5:06