How to setup git-credential-netrc with encrypted .netrc credentials

setup-git-credential-netrc.md

Warning

This tutorial is outdated! I do not recommend using this method anymore, as there are better tools now.

For better alternatives, try out:

• https://github.com/git-ecosystem/git-credential-manager
• https://cli.github.com/manual/gh_auth_setup-git

Git credential storage with git-credential-netrc

Using GitHub with SAML SSO integration often adds some hurdles to command-line authentication. In order to auth with a GitHub repo that requires SAML SSO, you need to use a generated access token instead of your GitHub password

This creates an extra hurdle to securely save and use this token when interacting with the repo. Git credential helpers can be used to make this easier - the wincred and libsecret helpers can be used to securely save credentials on Windows and Linux, respectively.

However, libsecret doesn't work nicely on Linux servers that lack GUI capabilities. An alternative is to use git-credential-netrc, which supports encrypted .netrc.gpg files and works on the command-line.

Setup GPG keys

Generate new key-pair and password

First, use gpg2 to make keys for encrypting a .netrc.gpg file:

gpg2 --full-generate-key

This will start a wizard that walks you through key creation. The default settings should be sufficient for this purpose. The wizard will also prompt you for a password - this will be used instead of the GitHub access token when accessing the repo.

Key generation entropy

After the password prompt, GPG will begin generating a key-pair based on random entropy. You can speed this up by starting a new secondary shell and running one of the following commands:

sudo rngd -r /dev/urandom -f # requires the rng-tool package
(find / | xargs file) &> /dev/null # non-sudo alternative

Once the main GPG wizard is done, you can ctrl-c in the second shell to stop the entropy generation.

Ensure gpg-agent is configured

You should also check to see that gpg-agent has been properly configured.

In your .bashrc the following lines need to exist:

GPG_TTY=$(tty)
export GPG_TTY

You should also ensure pinentry exists:

which pinentry

Create .github.netrc.gpg

Using the GPG keys, you can encrypt your GitHub access token. Run:

gpg2 --encrypt --recipient <your GitHub login email> -o $HOME/.github.netrc.gpg -

Then type in your .netrc configuration into STDIN:

machine github.com
login <your GitHub username>
password <your GitHub access token>
protocol https

Finally, press ctrl-d to end the GPG input. This will encrypt the input into .github.netrc.gpg located in your home folder.

Setup git-credential-netrc

Install

You can download git-credential-netrc from GitHub:

sudo curl \
  -o /usr/share/doc/git/contrib/credential/netrc/git-credential-netrc \
  https://raw.githubusercontent.com/git/git/master/contrib/credential/netrc/git-credential-netrc

You can also download it to your local home directory. Adjust commands so you're pointing the right file.

Make sure it's executable:

sudo chmod a+x /usr/share/doc/git/contrib/credential/netrc/git-credential-netrc

Setup .gitconfig

Now you can adjust your .gitconfig to use the credential helper and the encrypted credentials. Add the lines to your .gitconfig file (globally or locally):

[credential "https://github.com"]
        helper = "/usr/share/doc/git/contrib/credential/netrc/git-credential-netrc --gpg gpg2 -f $HOME/.github.netrc.gpg"

Done!

You can now push/pull from SAML SSO GitHub repos using a password instead of an access token!

Notes

Make sure you keep your GPG keys, access token, and password secured and safe. The password you provided is used to decrypt the generated GPG private key, and that key is used to decrypt your .netrc.gpg file.

Unfortunately, GPG currently does not let you specify the encryption of the private key store, so it is essential that you protect your GPG keys!.