Error when using Git credential helper with gnome-keyring as Sudo

Question

I was looking for a way to store credentials securely while connecting to our Git server which uses SSL. I came across this suggestion by @james-ward (only edit I made was I updated our "system" config instead of our "global" config for Git (https://stackoverflow.com/a/14528360/6195194)

sudo apt-get install libgnome-keyring-dev
cd /usr/share/doc/git/contrib/credential/gnome-keyring
sudo make
git config --system credential.helper /usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring

I then can run

git clone https://ipaddress/git/repo.git

and the credential helper will store my credentials, however when I run the following:

sudo git clone https://ipaddress/git/repo.git testfolder

it give me the following error

** (process:3713): CRITICAL **: Error communicating with gnome-keyring-daemon

I sometimes need to run sudo git clone since sometimes the directory where I need to make a clone requires it. Any help would be appreciated.

Versions I am using: - git version 1.9.1 - Ubuntu Server 14.0.4

Thank you in advance! -Richard O.

Answer 1

I sometimes need to run sudo git clone since sometimes the directory where I need to make a clone requires it. Any help would be appreciated

The folder in which you try to clone the repository into was created by root so you dont have permission to write or to create folder under it unless you are root (sudo), set the permissions (chmod or chown) and you will be able to clone into the folder.

chmod 755 /path

Answer 2

Easier: try git-credential-oauth, included in many Linux distributions including Fedora, Debian and Ubuntu.

No more passwords! No more personal access tokens! No more SSH keys!

A Git credential helper that securely authenticates to GitHub, GitLab, BitBucket and other forges using OAuth.

The first time you push, the helper will open a browser window to authenticate. Subsequent pushes within storage lifetime require no interaction.

This is compatible with any storage helper you choose, such as git-credential-cache or git-credential-libsecret (unfortunately not included in Ubuntu).

Answer 3

Beside the use of sudo, note that in 2016, libgnome-keyring is specific to GNOME and is now deprecated (since January 2014, actually).

2022 option: git-credential-manager

Microsoft provides a cross-platform credential helper named GCM (Git Credential Manager), which you can install (no need to build it) and configure:

git-credential-manager-core configure

You will need Git 2.27+ to use it.

Q4 2022: GCM is now Git Credential Manager (no more -core)

git-credential-manager configure

You will need Git 2.38.1+ to use it.

---

2016 option: git-credential-libsecret

Git 2.11+ (Q4 2016) included a new credential helper using libsecret.

See commit 87d1353 (09 Oct 2016) by Mantas Mikulėnas (grawity).
^{(Merged by Junio C Hamano -- gitster -- in commit bfe800c, 26 Oct 2016)}

A new credential helper that talks via "libsecret" with implementations of XDG Secret Service API has been added to contrib/credential/.

it uses libsecret which can support other implementations of XDG Secret Service API.

But in 2022, this is no longer needed. See above

---

As noted by mati865 in the comments:

It should be noted that some distros like Arch and Fedora provide helpers available as both binary and source.

• Libsecret binary on Arch: /usr/lib/git-core/git-credential-libsecret, and
• Libsecret binary on Fedora: /usr/libexec/git-core/git-credential-libsecret.

Note: As @rugk adds in the comments, for Fedora and Git v2.25.2-1 or higher, you need to install an extra package with that binary, because it has been split from the main git package:

dnf install git-credential-libsecret

---

Git 2.41 (Q2 2023) clarifies:

See commit 0a3a972, commit 64f1e65, commit de2fb99, commit 048b673, commit 5747c80, commit 71201ab, commit 16b305c (01 May 2023) by Taylor Blau (ttaylorr).
^{(Merged by Junio C Hamano -- gitster -- in commit fbbf60a, 10 May 2023)}

contrib/credential: remove 'gnome-keyring' credential helper

^{Co-authored-by: Jeff King
Signed-off-by: Jeff King
Signed-off-by: Taylor Blau}

libgnome-keyring was deprecated in 2014 (in favor of libsecret), more than nine years ago.

The credential helper implemented using libgnome-keyring has had a small handful of commits since 2013, none of which implemented or changed any functionality.
The last commit to do substantial work in this area was 15f7221 ("contrib/git-credential-gnome-keyring.c: support really ancient gnome-keyring", 2013-09-23, Git v1.8.5-rc0 -- merge), just shy of nine years ago.

This credential helper suffers from the same fgets()-related injection attack (using the new "wwwauth[]" feature) as in the previous commit.
Instead of patching it, let's remove this helper as deprecated.

Answer 4

Using sudo runs the command as root. It's like asking your sysadmin, if you have one, to run a command for you. The root user is not meant to do anything development-related, and therefore git is not meant to be used as root.

Once you run a command as another user (root or any other), it is expected that this other user cannot communicate normally with your usual user (in particular, it doesn't find your gnome-keyring-daemon here).

So, the answer is: "don't do that". If you really need to clone in a particular directory, give yourself permissions on that directory as suggested in CodeWizard's answer. Actually, if you need to clone in a directory where you don't have permission, ask yourself whether you are doing something wrong: in principle, this shouldn't happen (my guess is: you already used sudo too much in the past and this is the reason why you have um-writable directories here and there).