My company has recently taken over an open source project originally written by Facebook.
As part of this process, we wanted to also ensure that we had an automated virtual machine process that could quickly clone both private and public repositories from GitHub and setup our build process.
Caching your git username/password
There are several ways to cache your git credentials, but most of them involved writing the username and password to an unencrypted file on disk. This was simply out of the question.
GitHub has a document on how to use
osxkeychain helper which is bundled with Xcode (
While this is helpful, this requires you to initially run
git clone and type your username and password. This approach cannot be automated.
Reverse Engineering the process
If you follow the GitHub document, you will find out that in the end it creates an
Internet Password item in the login keychain and it has an ACL pointing to the
osxkeychain helper tool.
After playing around with the helper tool, I finally settled on the following:
# Add Github account /usr/bin/security add-internet-password \ -a "USERNAME" \ -s "github.com" \ -w "PASSWORD" \ -T /Applications/Xcode.app/Contents/Developer/usr/libexec/git-core/git-credential-osxkeychain \ -r "htps" \ login.keychain
When originally testing this, I kept getting stuck on
http when using the -r flag.
-r protocol Specify protocol (optional four-character SecProtocolType, e.g. "http", "ftp ")
According to Apple
https was a valid protocol type, but when trying this, I received the following error:
Error: four-character types must be exactly 4 characters long.
My co-worker joked and said to type
htps and sure enough… it worked.
Snags with Sierra
Unfortunately, while the keychain item looked exactly like the one made with
osxkeychain helper, I kept receiving a popup when using git clone. After dumping the keychains I saw the issue:
credential-osxkeychain (OK) entry 3: authorizations (1): partition_id dont-require-password description: apple-tool: applications: <null>
As of Sierra, Apple added a new partition_id scheme that is honestly still undocumented after a year. You can find people complaining about it on jamfnation, apple discussions, stackoverflow, stackoverflow 2, openradar, github, and github2
Essentially, the partition_id needs to contain
apple-tool:, apple: in the description.
After playing around with it for a while, this is what I found worked
/usr/bin/security set-internet-password-partition-list \ -l "github.com" \ -S "apple-tool:,apple:" \ -k "PASSWORD" \ login.keychain
Putting it altogether
- Xcode Command Line tools
- Username and Password of the account (preferably in an encrypted data format)
# Add Github account credentials /usr/bin/security add-internet-password \ -a "USERNAME" \ -s "github.com" \ -w "PASSWORD" \ -T /Applications/Xcode.app/Contents/Developer/usr/libexec/git-core/git-credential-osxkeychain \ -r "htps" \ login.keychain # Set partition_id to prevent Keychain popups /usr/bin/security set-internet-password-partition-list \ -l "github.com" \ -S "apple-tool:,apple:" \ -k "PASSWORD" \ login.keychain # Set git to use the login keychain for credentials /usr/bin/git config \ --global credential.helper osxkeychain # git clone private repo requiring auth git clone http://github.com/username/privaterepo.git