Re: Fwd: Git credentials not working
Thanks everyone. All your answers helped. I found out that the issue was not related to git. I am using semantic-release to perform a release, apparently git-credentials is not working with semantic-release. I did also setup the double authentication and every fix applied on git-credentials were simply useless. Read more here : https://github.com/semantic-release/semantic-release/issues/941#issuecomment-426691824 Thanks a lot for your help and git is the best software ever made thanks! Dimitri Kopriwa On 10/4/18 3:43 AM, Jeff King wrote: On Thu, Oct 04, 2018 at 02:34:17AM +0700, Dimitri Kopriwa wrote: I have replaced the way I fill the git credentials store, I have verify ~/.git-credentials and information are there, the ~/.gitconfig look fine too. I still have 401 error when reading from that file. This is the paste log : https://paste.gnome.org/pmntlkdw0 Now that I use git approve, I dont think that I need a custom helper. Any idea why I still can't log in using git-credential? Looking at your pastebin, it looks like the server sometimes takes it and sometimes not. E.g., piping the log through: egrep '(Send|Recv) header:' | perl -lpe 's/^.*?(=>|<=) //' I see: Send header: GET /example-keys/sample-project.git/info/refs?service=git-upload-pack HTTP/1.1 Send header: User-Agent: git/2.19.0 ... Recv header: HTTP/1.1 401 Unauthorized Recv header: WWW-Authenticate: Basic realm="GitLab" ... Send header: GET /example-keys/sample-project.git/info/refs?service=git-upload-pack HTTP/1.1 Send header: Authorization: Basic Send header: User-Agent: git/2.19.0 ... Recv header: HTTP/1.1 200 OK So that works. But then later we get: Send header: GET /example-keys/sample-project.git/info/refs?service=git-upload-pack HTTP/1.1 Send header: User-Agent: git/2.19.0 ... Recv header: HTTP/1.1 401 Unauthorized Recv header: WWW-Authenticate: Basic realm="GitLab" ... Send header: GET /example-keys/sample-project.git/info/refs?service=git-upload-pack HTTP/1.1 Send header: Authorization: Basic Send header: User-Agent: git/2.19.0 ... Recv header: HTTP/1.1 401 Unauthorized And then that causes credential-store to delete the non-working entry, after which all of them must fail (because you have no working credential, and presumably no terminal to prompt the user). I have no idea why the same request would sometimes be allowed and sometimes not. It's possible the data is different in those two times, but I don't know why that would be. It's also possible you're hitting different load-balancing servers that behave differently. -Peff
Re: Fwd: Git credentials not working
On Thu, Oct 04, 2018 at 02:34:17AM +0700, Dimitri Kopriwa wrote: > I have replaced the way I fill the git credentials store, I have verify > ~/.git-credentials and information are there, the ~/.gitconfig look fine > too. > > I still have 401 error when reading from that file. > > This is the paste log : https://paste.gnome.org/pmntlkdw0 > > Now that I use git approve, I dont think that I need a custom helper. > > Any idea why I still can't log in using git-credential? Looking at your pastebin, it looks like the server sometimes takes it and sometimes not. E.g., piping the log through: egrep '(Send|Recv) header:' | perl -lpe 's/^.*?(=>|<=) //' I see: Send header: GET /example-keys/sample-project.git/info/refs?service=git-upload-pack HTTP/1.1 Send header: User-Agent: git/2.19.0 ... Recv header: HTTP/1.1 401 Unauthorized Recv header: WWW-Authenticate: Basic realm="GitLab" ... Send header: GET /example-keys/sample-project.git/info/refs?service=git-upload-pack HTTP/1.1 Send header: Authorization: Basic Send header: User-Agent: git/2.19.0 ... Recv header: HTTP/1.1 200 OK So that works. But then later we get: Send header: GET /example-keys/sample-project.git/info/refs?service=git-upload-pack HTTP/1.1 Send header: User-Agent: git/2.19.0 ... Recv header: HTTP/1.1 401 Unauthorized Recv header: WWW-Authenticate: Basic realm="GitLab" ... Send header: GET /example-keys/sample-project.git/info/refs?service=git-upload-pack HTTP/1.1 Send header: Authorization: Basic Send header: User-Agent: git/2.19.0 ... Recv header: HTTP/1.1 401 Unauthorized And then that causes credential-store to delete the non-working entry, after which all of them must fail (because you have no working credential, and presumably no terminal to prompt the user). I have no idea why the same request would sometimes be allowed and sometimes not. It's possible the data is different in those two times, but I don't know why that would be. It's also possible you're hitting different load-balancing servers that behave differently. -Peff
Re: Fwd: Git credentials not working
On Wed, Oct 3, 2018 at 12:34 PM Dimitri Kopriwa wrote: > > I have replaced the way I fill the git credentials store, I have verify > ~/.git-credentials and information are there, the ~/.gitconfig look fine > too. > > I still have 401 error when reading from that file. > > This is the paste log : https://paste.gnome.org/pmntlkdw0 > > Now that I use git approve, I dont think that I need a custom helper. > > Any idea why I still can't log in using git-credential? I'm pretty sure Peff touched on this in his reply. When it works, you're either sending a "Private-Token" header or including it in the URL, but, as Peff said, Git will never do either of those things. It sends an "Authorization" header, and, based on their documentation, it doesn't appear Gitlab accepts access tokens in that header. It looks like you're either going to need to include it in the URL (like what happens earlier in the posted trace), or adjust your git config with a "http.extraHeader" set to "Private-Token: " to include the "Private-Token" header (or you could pass it on the command line, like `git -c http.extraHeader="Private-Token: " clone ...`. Hope this helps! Bryan > > Thanks in advance, > > On 10/4/18 1:24 AM, Jeff King wrote: > > On Thu, Oct 04, 2018 at 01:12:11AM +0700, Dimitri Kopriwa wrote: > > > >> Thanks for your reply. I have activated GIT_TRACE_CURL=1 and I can see that > >> the request is failing 401. > >> > >> I can't see which token is used and using what header ? > >> > >> The log say: > >> > >> 17:50:26.414654 http.c:657 => Send header: Authorization: > >> Basic > > Yeah, we redact the auth information so people don't accidentally share > > it publicly. If you use the older GIT_CURL_VERBOSE=1, it will include > > the credential (I think it may be base64 encoded, though, so you'll have > > to decipher it). > > > >> I have retested the token locally and it work when used in the url or using > >> `Private-Token: ` as stated in the Gitlab documentation > >> https://docs.gitlab.com/ee/api/README.html#personal-access-tokens > > I don't think Git will ever send your token in either of those ways. It > > will always some as an Authorization header. > > > >> Peff, what would be the appropriate way to input my git credential in a > >> 100% > >> success way in a CI? > > I don't know the details of what GitLab would want, but... > > > >> Is this good: > >> > >> git credential approve < >> protocol=https > >> host=example.com > >> username=bob > >> password=secr3t > >> OEF > > Yes, that would work to preload a token into any configured helpers. > > > > -Peff
Re: Fwd: Git credentials not working
I have replaced the way I fill the git credentials store, I have verify ~/.git-credentials and information are there, the ~/.gitconfig look fine too. I still have 401 error when reading from that file. This is the paste log : https://paste.gnome.org/pmntlkdw0 Now that I use git approve, I dont think that I need a custom helper. Any idea why I still can't log in using git-credential? Thanks in advance, On 10/4/18 1:24 AM, Jeff King wrote: On Thu, Oct 04, 2018 at 01:12:11AM +0700, Dimitri Kopriwa wrote: Thanks for your reply. I have activated GIT_TRACE_CURL=1 and I can see that the request is failing 401. I can't see which token is used and using what header ? The log say: 17:50:26.414654 http.c:657 => Send header: Authorization: Basic Yeah, we redact the auth information so people don't accidentally share it publicly. If you use the older GIT_CURL_VERBOSE=1, it will include the credential (I think it may be base64 encoded, though, so you'll have to decipher it). I have retested the token locally and it work when used in the url or using `Private-Token: ` as stated in the Gitlab documentation https://docs.gitlab.com/ee/api/README.html#personal-access-tokens I don't think Git will ever send your token in either of those ways. It will always some as an Authorization header. Peff, what would be the appropriate way to input my git credential in a 100% success way in a CI? I don't know the details of what GitLab would want, but... Is this good: git credential approve < Yes, that would work to preload a token into any configured helpers. -Peff
Re: Fwd: Git credentials not working
On Thu, Oct 04, 2018 at 01:12:11AM +0700, Dimitri Kopriwa wrote: > Thanks for your reply. I have activated GIT_TRACE_CURL=1 and I can see that > the request is failing 401. > > I can't see which token is used and using what header ? > > The log say: > > 17:50:26.414654 http.c:657 => Send header: Authorization: Basic > Yeah, we redact the auth information so people don't accidentally share it publicly. If you use the older GIT_CURL_VERBOSE=1, it will include the credential (I think it may be base64 encoded, though, so you'll have to decipher it). > I have retested the token locally and it work when used in the url or using > `Private-Token: ` as stated in the Gitlab documentation > https://docs.gitlab.com/ee/api/README.html#personal-access-tokens I don't think Git will ever send your token in either of those ways. It will always some as an Authorization header. > Peff, what would be the appropriate way to input my git credential in a 100% > success way in a CI? I don't know the details of what GitLab would want, but... > Is this good: > > git credential approve < protocol=https > host=example.com > username=bob > password=secr3t > OEF Yes, that would work to preload a token into any configured helpers. -Peff
Re: Fwd: Git credentials not working
Thanks for your reply. I have activated GIT_TRACE_CURL=1 and I can see that the request is failing 401. I can't see which token is used and using what header ? The log say: 17:50:26.414654 http.c:657 => Send header: Authorization: Basic I have retested the token locally and it work when used in the url or using `Private-Token: ` as stated in the Gitlab documentation https://docs.gitlab.com/ee/api/README.html#personal-access-tokens Peff, what would be the appropriate way to input my git credential in a 100% success way in a CI? Is this good: git credential approve
Re: Fwd: Git credentials not working
On Wed, Oct 03, 2018 at 09:06:38PM +0700, Dimitri Kopriwa wrote:
> 18:25:52.940307 git.c:659 trace: exec: git-credential-store
> erase
> 18:25:52.940365 run-command.c:637 trace: run_command:
> git-credential-store erase
> remote: HTTP Basic: Access denied
> fatal: Authentication failed for
> 'https://git.example.com/example/some-project.git/'
> [...]
>
> Can you please help me found why is git credential-store erase called ?
This is expected. We tried to use a credential that was rejected by the
server, so we told all of the helpers it was invalid. You can try
running GIT_TRACE_CURL=1 to see the HTTP conversation. There will be an
HTTP 401 with the authentication failure, though it may not tell you
anything more useful than that.
git-credential-store is meant to be used interactively, to insert and
erase credentials as they're grabbed from the terminal.
It sounds more like you want to just have a stored credential that you
try to use. You could do that with a custom helper. E.g., something like
this in your ~/.gitconfig:
[credential "https://example.com;]
helper = "!f() { test $1 = get && echo password=$(cat /path/with/password);
}; f"
-Peff
Fwd: Git credentials not working
Dear Git list,
I have tried to used git credentials within Gitlab-CI runners. I have 4
instance of GitLab and discovered a weird bug with Git credentials when
use within a CI process.
Please note before all that the time spend allowed me multiple time to
check that my credentials are valid for the repository. And calling git
fetch --tags with the full remote url that include the credentials
always succeeded.
Tested with Git 2.11, 2.19
Git credentials in ~/.git-credentials and ~/.config/git/credentials are
being removed by git upon reading.
This happen randomly accross my CI runner, and change that make them
work on not related.
{ Error: Command failed: git fetch --tags
https://git.example.com/example/some-project.git
18:25:52.554903 git.c:415 trace: built-in: git fetch
--tags https://git.example.com/example/some-project.git
18:25:52.555234 run-command.c:637 trace: run_command: GIT_DIR=.git
git-remote-https https://git.example.com/example/some-project.git
https://git.example.com/example/some-project.git
18:25:52.692741 run-command.c:637 trace: run_command: 'git
credential-store get'
18:25:52.697314 git.c:659 trace: exec:
git-credential-store get
18:25:52.697372 run-command.c:637 trace: run_command:
git-credential-store get
18:25:52.936024 run-command.c:637 trace: run_command: 'git
credential-store erase'
18:25:52.940307 git.c:659 trace: exec:
git-credential-store erase
18:25:52.940365 run-command.c:637 trace: run_command:
git-credential-store erase
remote: HTTP Basic: Access denied
fatal: Authentication failed for
'https://git.example.com/example/some-project.git/'
See the full question here:
https://stackoverflow.com/questions/52614467/why-does-git-credential-store-call-git-credential-erase-and-make-my-credential-f
Can you please help me found why is git credential-store erase called ?
Best regards,
