Thank you! This makes sense and the solution is simple. Is this somewhere in the documentation (honest question, I am not being a jerk)? I tried my best to figure this out before bugging people on the mailinglist. Best, Gennady -- Gennady Uraltsev <gennady.uraltsev@xxxxxxxxx> (https://guraltsev.github.io) On Tue, Dec 6, 2022 at 5:16 PM brian m. carlson <sandals@xxxxxxxxxxxxxxxxxxxx> wrote: > > On 2022-12-06 at 22:05:22, Gennady Uraltsev wrote: > > Hello everyone, > > > > I have an issue with git credential-store. In my global configuration > > dir (.config/git/config) I had the line > > > > [credential] > > helper = store > > > > while ini a repository's .git/config while I have > > > > [credential] > > helper = "store --file=./.git/git-credentials" > > > > to store credentials "locally". > > > > I thought the latter would overrule the former However what happens is > > the following: > > > > 1) On first run the file repo-local file ./.git/git-credentials gets > > created and the credentials are saved there after the user is queried > > for a password > > 2) On subsequent runs the credentials get recovered from > > ./.git/git-credentials and the user is NOT asked for credentials > > 2b) **Here is the weird behavior** git ALSO creates the > > .git-credentials file in the home directory and saves a copy of > > credentials there. > > > > The behavior 2b leads to exfiltration of passwords to a location a > > user might not expect. > > > > Workaround: Remove the line > > > > [credential] > > helper = store > > > > in the global config. > > > > It seems that the global config somehow does not get shadowed by the local one! > > This behaviour is by design. The reason is that sometimes the user may > have two sets of credential helpers, one for one set of domains, and > another for another. For example, I believe AWS has its own custom > credential helper. Git calls credential helpers until it finds a > credential, and then it sends store commands to all of them. A > credential helper which has no credentials for a domain will generally > respond with no credentials. > > If you want to override the credential helpers in the `.git/config` > file, you can do so by first writing an empty value, like so: > > [credential] > helper = > helper = "store --file=./.git/git-credentials" > -- > brian m. carlson (he/him or they/them) > Toronto, Ontario, CA
