Discover different ways to store your Git login information, from the most secure option to less secure ones.
Git credential helpers are tools that help you securely store and retrieve your Git credentials, like usernames and passwords. They make it easier to use Git without having to type in your credentials every time.
There are different ways to securely store your login information (like your username and personal token) when using Git. Some ways are more secure than others.
The most secure option is to use a tool called Git Credential Manager Core. It encrypts your login information and stores it safely. Which means it turns the information into a secret code that only your computer can understand. This makes it very difficult for anyone else to read your login information even if they have access to your computer or your remote server.
The information is stored in a special place on your computer where only Git Credential Manager Core can access it. This ensures that your login information stays safe and private.
Additionally, Git Credential Manager Core is designed to follow strict security standards to protect your information. It is regularly updated to fix any security vulnerabilities and to keep your login information safe.
I like to use Git Credential Manager (GCM) to set up Continuous Integration and Continuous Deployment (CI/CD) pipelines. GCM helps manage my login details securely, making it easier to automate the process of testing and deploying my code.
To fully enjoy the benefits of GCM we need to do the following:
1. Download the latest .deb package to your temporary folder:
wget -O /tmp/gcm-linux_amd64.2.4.1.deb https://github.com/git-ecosystem/git-credential-manager/releases/download/v2.4.1/gcm-linux_amd64.2.4.1.deb
2. Install the package:
sudo dpkg -i /tmp/gcm-linux_amd64.2.4.1.deb
3. Configure Git to use GCM Core as the credential helper:
git config --global credential.helper manager-core
Alternatively, if you had any other helpers previously installed:
git config --global --replace-all credential.helper manager-core
4. Verify the configuration:
git config --global credential.helper
But this is only the beginning. We will probably see the error "credential-manager-core is not a git command", which suggests that the Git Credential Manager Core command-line interface is not properly installed or configured. So we need to configure the interface:
1. Let's find the location of the gcm executable by running:
dpkg -L gcm | grep bin
2. Create a new bash file 'git-credential-manager-core.sh':
#!/bin/bash
/usr/local/bin/git-credential-manager $@
3. Save the file and make it executable:
chmod +x git-credential-manager-core.sh
4. Move the file to a directory in your PATH. For example, you can move it to /usr/local/bin to make it accessible system-wide:
sudo mv git-credential-manager-core.sh /usr/local/bin/
5. You can also create an alias in your shell configuration file (e.g., .bashrc or .zshrc) to point to the executable. Add the following line to the file:
alias git-credential-manager-core='/usr/local/bin/git-credential-manager-core'
git config --global alias.credential-manager-core '/usr/local/bin/git-credential-manager-core'
6. Run as a custom Git command:
git-credential-manager-core --version
Next, we need to select the credentials store: secretservice (requires graphical interface), gpg (yes!), cache (no!), plaintext (no no!).
1. Let's set Git Credential Manager (GCM) to use the GPG-compatible credential storage option:
git config --global credential.credentialStore gpg
2. Let's generate a new GPG key:
gpg --full-generate-key
When generating key, don't forget to enter all the detail including th ename and e-mail, because GnuPG needs to construct a user ID to identify your key.
3. List keys:
gpg --list-keys
In this context,
4. Initialize the password store:
pass init
Now, when you 'git pull', the GCM will ask you to select an authentication method for github.com, which is #2 "personal access token".
After that GCM will save your credentials and you will be able to use git without the credentials.
Additional info on how to list GPG keys if you want to add them to the GitHub:
gpg --list-secret-keys --keyid-format=long
gpg --armor --export
You can also use this command to get familiar with the secret key management for GnuPG:
man gpg-agent
Which will advise that you should always add the following lines to your .bashrc or whatever initialization file is used for all shell invocations:
GPG_TTY=$(tty)
export GPG_TTY
GitHub Actions uses bash as the default shell for running commands in workflows, so we can add the lines to the .bashrc file and source them:
echo 'GPG_TTY=$(tty)' >> ~/.bashrc
echo 'export GPG_TTY' >> ~/.bashrc
source ~/.bashrc
GPG_TTY=$(tty) is a command in Unix-like operating systems (including Linux and macOS) that sets the GPG_TTY environment variable to the current terminal device. This is typically used to ensure that GnuPG (GPG), a tool for secure communication and data storage, knows which terminal to use for user interaction, such as entering a passphrase for a GPG key.
That's it! You can stop here. Now, the helpers listed below are just for your information. If you're thinking about using one, make sure to think about all the good and bad points, as some of them might not be safe to use.
Another option is to use a caching system. This stores your login information in your computer's memory for a short time, making it convenient to use Git without typing your login information repeatedly.
Selects Git's built-in credential cache and stores your credentials for 300 seconds:
git config --global credential.helper cache
git config --global credential.helper 'cache --timeout=300'
The cache helper is different from the others because it stores your credentials in memory, which means they're not stored permanently on your computer. This makes it more secure than the store helper but less secure than GCM Core.
Another option for storing Git credentials securely on Ubuntu is to use the GNOME Keyring with the libsecret library. This approach integrates Git with the GNOME Keyring, which is a secure storage system for sensitive information like passwords.
sudo apt-get install -y libsecret-1-0 libsecret-1-dev
git config --global credential.helper /usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring
When you clone a repository using HTTPS, Git will prompt you to unlock the GNOME Keyring to store your credentials securely.
The least secure option is to store your login information in a plain text file ~/.git-credentials on your computer or remote server in the format "https://YOUR_LOGIN:YOUR_PERSONAL_TOKEN@github.com". This is not recommended because anyone who can access your computer can see your login information.
To set up the store credential helper, use the following command:
git config --global credential.helper store
So, to use these helpers, you can simply clone a repository or pull changes from GitHub, and Git will prompt you for your username and personal access token. Once you enter them, Git will remember them based on the credential helper you've configured.
Good luck!
May all your endeavors be successful, and may your code always run smoothly.
Best Regards,
Artem