Can the macOS Git client use certificates stored in the user's Keychain?
I managed to find a way to do this for macOS, using the versions of Git and cURL provided by Homebrew:
- If you have not done this yet, install Homebrew for macOS.
Install cURL and Git using Homebrew:
brew install curl brew install --with-curl git
The
--with-curl
option is important, since it will force Git to use the Homebrew version of cURL, which includes the required support for the macOS Keychain - through cURL's-E/--cert
parameter.The Homebrew version of cURL supports looking up the certificate in the user's keychain, using the name/alias provided by the
-E/--cert
parameter, while the stock macOS version of cURL does not.It is necessary to install Git with support for the Homebrew version of cURL, since it will simply use the one from macOS if not told otherwise.
If you already have Git installed through Homebrew, you have to reinstall it with the
--with-curl
option:brew reinstall --with-curl git
Update With a recent change in the Homebrew Git formula, the --with-curl
option was removed. If you still want to use this, you can do the following to install that specific version of Git - this is before the options were removed. To install this specific version of the Git formula, use the following approach (based on these instructions) - you might have to remove your existing Git installation first, though:
# Install curl
brew install curl
# Install the last version of the Git formula that still has the --with-curl option
brew install --with-curl https://raw.githubusercontent.com/Homebrew/homebrew-core/a86ae8fc2b24001b3c6460a46dbfc6e323d2a4d1/Formula/git.rb
# Pin Git in Homebrew so that it does not get updated automatically
brew pin git
Import the certificate into your user's login keychain (double-click on the certificate file, e.g. if it's in
.pfx
format). Check in your user's login keychain for the presence of the certificate (and the private key - they might be in different entries) and note the name of the certificate. We'll assume it's calledgit.example.com
.Configure Git to refer to the certificate entry in your keychain. Don't point it to a local file, but provide the name of the certificate as stored in your keychain. The Homebrew version of cURL has support for this:
git config --global http.sslCert git.example.com
If you only want to use the certificate for a specific server, you can use the following syntax to limit the setting to that specific URL:
git config --global http."https://git.example.com".sslCert git.example.com
Once you have done the above steps, whenever you run a Git command with the git.example.com server, Git/cURL should try to get the certificate from your Keychain.
For the first access, it might show a window asking you to unlock your login keychain. Provide the password for that keychain and make sure to click the Always Allow button. After that, further Git commands should not require you to provide the passphrase or the keychain password again.
You can also edit the .gitconfig
file directly, e.g. by adding the following for using the certificate for a specific URL:
[http "https://git.example.com"]
sslCert = git.example.com