Menu
Our Git server is being changed to require a certificate/private key when accessed by Git clients.
Our Windows users are instructed to import the certificate locally and then configure Git to use the schannel backed for SSL as in
git config --global http.sslBackend schannel
This will obviously not work for macOS users. Is there a way to do something similar with the Git client on macOS?
I found that I can point to the certificate and private key in my Git config, if a) they are in separate files, and b) are in .pem format, like this:
git config --global http.sslCert /Users/.../cert.pem
git config --global http.sslKey /Users/.../key.pem
git config --global http.sslCertPasswordProtected true
After doing this, whenever I try to push/pull, the Git client asks about the password for the private key, like this:
$ git pull
Password for 'cert:////Users/.../cert.pem': *********
Already up to date.
Is there a way to tell the Git client (or the underlying curl client) to use the macOS Keychain for retrieving the certificate, the key and the also the key's passphrase?
I know that newer versions of curl support the -E/--cert parameter to use the keychain, but I'm not sure whether that is available via the Git client.
586
When using a self-signed certificate on a Teamforge Git server, you cannot clone a repository using the standard git client on RHEL/CentOS. In RHEL/CentOS, the Linux certificates used by git and other tools are stored in the /etc/pki/tls/certs/ca- bundle. trust. crt file.
In the Keychain Access app on Mac, select a keychain, then click either the My Certificates category or the Certificates category to see the certificates in that keychain. Select the certificate you want to view, then click the Info button in the toolbar.
Updating your credentials via Keychain AccessType Keychain access then press the Enter key to launch the app. In Keychain Access, search for github.com.
I managed to find a way to do this for macOS, using the versions of Git and cURL provided by Homebrew:
Install cURL and Git using Homebrew:
brew install curl
brew install --with-curl git
The --with-curl option is important, since it will force Git to use the Homebrew version of cURL, which includes the required support for the macOS Keychain - through cURL's -E/--cert parameter.
The Homebrew version of cURL supports looking up the certificate in the user's keychain, using the name/alias provided by the -E/--cert parameter, while the stock macOS version of cURL does not.
It is necessary to install Git with support for the Homebrew version of cURL, since it will simply use the one from macOS if not told otherwise.
If you already have Git installed through Homebrew, you have to reinstall it with the --with-curl option:
brew reinstall --with-curl git
Update With a recent change in the Homebrew Git formula, the --with-curl option was removed. If you still want to use this, you can do the following to install that specific version of Git - this is before the options were removed. To install this specific version of the Git formula, use the following approach (based on these instructions) - you might have to remove your existing Git installation first, though:
# Install curl
brew install curl
# Install the last version of the Git formula that still has the --with-curl option
brew install --with-curl https://raw.githubusercontent.com/Homebrew/homebrew-core/a86ae8fc2b24001b3c6460a46dbfc6e323d2a4d1/Formula/git.rb
# Pin Git in Homebrew so that it does not get updated automatically
brew pin git
Import the certificate into your user's login keychain (double-click on the certificate file, e.g. if it's in .pfx format). Check in your user's login keychain for the presence of the certificate (and the private key - they might be in different entries) and note the name of the certificate. We'll assume it's called git.example.com.
Configure Git to refer to the certificate entry in your keychain. Don't point it to a local file, but provide the name of the certificate as stored in your keychain. The Homebrew version of cURL has support for this:
git config --global http.sslCert git.example.com
If you only want to use the certificate for a specific server, you can use the following syntax to limit the setting to that specific URL:
git config --global http."https://git.example.com".sslCert git.example.com
Once you have done the above steps, whenever you run a Git command with the git.example.com server, Git/cURL should try to get the certificate from your Keychain.
For the first access, it might show a window asking you to unlock your login keychain. Provide the password for that keychain and make sure to click the Always Allow button. After that, further Git commands should not require you to provide the passphrase or the keychain password again.
You can also edit the .gitconfig file directly, e.g. by adding the following for using the certificate for a specific URL:
[http "https://git.example.com"]
sslCert = git.example.com
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With