Disable osxkeychain credential helper in git as installed by Xcode

Question

I need to disable the git credential helper for OS X: git-credential-osxkeychain

I'm using git as installed by Xcode Command Line Utilities 4.6.2 in OS X Mountain Lion 10.8.3.

In this installation the default behavior of git pull or git push is for the password to be remembered, thereby freeing the user from having to enter it again.

Although convenient, this is a security risk in my situation. I need to disable the credential helper so a password will be required with each remote pull, push or fetch.

The git installed with Xcode does not seem to use git config to set this feature. Here are my settings:

---

# git --version =>

git version 1.7.12.4 (Apple Git-37)

# git config --global --list =>

user.name=User Name
user.email=user@home
color.diff=auto
color.status=auto
color.branch=auto
color.interactive=auto
color.ui=auto
alias.lol=log --pretty=oneline --abbrev-commit --graph --decorate
alias.co=checkout
alias.ci=commit
alias.st=status
alias.br=branch
alias.hist=log --pretty=format:'%h %ad | %s%d [%an]' --graph --date=short
alias.type=cat-file -t
alias.dump=cat-file -p
core.autocrlf=input
core.safecrlf=true
core.editor=/usr/bin/vim

# git config --local --list =>

core.repositoryformatversion=0
core.filemode=true
core.bare=false
core.logallrefupdates=true
core.ignorecase=true
remote.origin.fetch=+refs/heads/*:refs/remotes/origin/*
remote.origin.url=https://XXXXXXX@bitbucket.org/YYYYYYYY/ZZZ.git
branch.master.remote=origin
branch.master.merge=refs/heads/master

# git config --system --list =>

fatal: unable to read config file '/usr/etc/gitconfig': No such file or directory

[ Note: there is no system config file for my installation. ]

---

I did a thorough search on Stack Overflow and Google, but could not find a solution to disabling credential helper in this installation.

I suspect there is a .plist or similar config file somewhere in the Xcode hierarchy that has a flag to disable, but could not find any mention of it in the git or Xcode docs.

A quick and dirty solution would be to chmod the Applications/Xcode.app/Contents/Developer/usr/libexec/git-core/git-credential-osxkeychain binary, but that's not very elegant, and would likely break with any updates to Xcode.

Do any Xcode experts out there have any idea where Apple stashes the flag to turn this git feature off?

Answer 1

Firstly, there is a quickly response to your specific question

• Q: "there have any idea where Apple stashes the flag to turn this git feature off?"
• A: just set credential.helper to empty in the scope you expect to overwrite its default value, like that:

  git config --global credential.helper ''
  

Then let's take a look at more. I was also confused about the same scene -- Why the git-credential-helper configured to osxkeychain before I make any configuration after installed (followed Xcode installation)

If it was caused by a configuration file, Where the configure file located? My find is followed:

1. After git was installed with the installation of Xcode, credential.helper was configured to osxkeychain, like that:

   $git config credential.helper
   osxkeychain 
   

2. I checked which config file had already been configured, but the --system/--globle/--localconfiguration were empty (or had no file).

3. I thought this feature was fixed during compilation and not based a configuration file. But I had no knowledge about that.

4. Until I found Git has a "core" configuration file which is not revealed by the git-documents. Please read this article ChrisTollefson/git-install-config.md the excerpt is as follows.

   1. git config --list --showorigin gives the details of configuration and locations of the configure files.
   2. Git followed Xcode has a "core" configure file located in /Applications/Xcode.app/Contents/Developer/usr/share/git-core/gitconfig which only has two configuration lines: credential.helper = osxkeychain and int.defaultBranch = main.
   3. The "core" configuration cannot be edited using git config command. But the "core" configuration has the lowest priority. So we can overwrite the content using the system or global or local configuration.

Answer 2

If the main concern in your question is the security and you wish to enter a password everytime, then I'd embrace the keychain to fit your goal

1. go into the osx keychain app,
2. Lookup the servername if you're using https
3. change its settings by clicking on it, and under the tab "access control" mark "Ask for keychain password"
4. If needed remove the git-credential-osxkeychain application from the list of whitelisted applications. (In my case I had to save at this point, return to the settings and re-enable "ask for keychain password" which was somehow disabled again.)

Mind you that on Linux the default behaviour is also to have the credentials being sent automatically.