r-lib / credentials Goto Github PK
View Code? Open in Web Editor NEWTools for Managing SSH and Git Credentials
Home Page: https://docs.ropensci.org/credentials
License: Other
Tools for Managing SSH and Git Credentials
Home Page: https://docs.ropensci.org/credentials
License: Other
Can credentials get the same pkgdown setup as gert? I'd like to start linking to it from usethis.
I was just trying out credentials::ssh_setup_github()
and everything seems to work until I try to clone (this is in a clean container with no .ssh
folder) where I get the following:
~$ git clone [email protected]:rundel/test-private.git
Cloning into 'test-private'...
Warning: Permanently added the RSA host key for IP address '140.82.112.4' to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/home/guest/.ssh/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/home/guest/.ssh/id_rsa": bad permissions
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
the ssh keys are generated with -rw-r--r--
default permissions on this system.
~$ ls -la .ssh
total 20
drwxr-xr-x 2 guest users 4096 Jul 23 18:25 .
drwxrwxr-x 8 guest users 4096 Jul 23 18:29 ..
-rw-r--r-- 1 guest users 1744 Jul 23 18:26 id_rsa
-rw-r--r-- 1 guest users 381 Jul 23 18:23 id_rsa.pub
-rw-r--r-- 1 guest users 2210 Jul 23 18:29 known_hosts
would it be possible to have the creation process remove the group and other permissions automatically?
I don't know how it got past the defenses, but somehow loading this package on macOS that did not have developer tools set up ended up causing an error (carpentries/sandpaper-docs#33 (comment)). I confirmed that the user was using version 1.3.0:
xcrun: error: invalid active developer path (/Library/Developer/CommandLineTools), missing xcrun at: /Library/Developer/CommandLineTools/usr/bin/xcrun
xcrun: error: invalid active developer path (/Library/Developer/CommandLineTools), missing xcrun at: /Library/Developer/CommandLineTools/usr/bin/xcrun
Error: .onLoad failed in loadNamespace() for 'credentials', details:
call: NULL
error: Failed to call 'git help -a'
> packageVersion(“credentials”)
[1] ‘1.3.0’
> R.version
_
platform x86_64-apple-darwin17.0
arch x86_64
os darwin17.0
system x86_64, darwin17.0
status
major 4
minor 0.2
year 2020
month 06
day 22
svn rev 78730
language R
version.string R version 4.0.2 (2020-06-22)
nickname Taking Off Again
From what I can tell, the reason it got to this error message is that Sys.which('git')
will return /usr/bin/git
, so the has_git_cmd()
works, but it will error when calling credential_helper_list()
:
Line 68 in 721bef3
But since this is in a tryCatch block, I have no clue why exactly it would result in an error, but it is indeed being caught by loadNamespace() and treated as an error.
I'm running into a problem where credentials::set_github_pat(verbose = FALSE)
(I think) won't find the correct entry in my (macOS) keychain, and therefore will always ask me interactively, even though there is a PAT in the keychain.
Here's how to reproduce this (executible reprex is a bit difficult b/c of interactive nature):
usethis::create_github_token
)gitcreds::gitcreds_set()
(choose update; I already had info in there probably because of gh cli usage?)credentials::set_github_pat()
This did not retrieve the token from the GCM, but instead asked for another one:
If prompted for GitHub credentials, enter your PAT in the password field
Password for 'https://[email protected]':
─ Session info ───────────────────────────────────────────────────────────────
setting value
version R version 4.1.0 (2021-05-18)
os macOS Big Sur 11.4
system x86_64, darwin17.0
ui X11
language en_US.UTF-8 git
collate en_US.UTF-8
ctype en_US.UTF-8
tz Europe/Berlin
date 2021-06-17
─ Packages ───────────────────────────────────────────────────────────────────
package * version date lib source
askpass 1.1 2019-01-13 [1] CRAN (R 4.1.0)
cli 2.5.0 2021-04-26 [1] CRAN (R 4.1.0)
credentials 1.3.0 2020-07-21 [1] CRAN (R 4.1.0)
openssl 1.4.4 2021-04-30 [1] CRAN (R 4.1.0)
sessioninfo 1.1.1 2018-11-05 [1] CRAN (R 4.1.0)
sys 3.4 2020-07-23 [1] CRAN (R 4.1.0)
withr 2.4.2 2021-04-18 [1] CRAN (R 4.1.0)
[1] /Library/Frameworks/R.framework/Versions/4.1/Resources/library
Found at rocker-org/devcontainer-images#39.
It appears that when the credentials
package is installed, the following ~/.gitconfig
file is generated and left intact.
[credential]
helper = cache
Is this the intended behavior?
Currently we have an issue where rsconnect/packrat are somehow insisting on publishing credentials
as a dependency of one of our applications.
The problem with this is that credentials
won't install in the restricted (sandboxed) security space that we're running RStudio Connect installation.
Example part of our application publish logs:
2021/04/20 09:14:27.234881673 Error: Command failed (1)
2021/04/20 09:14:27.234904603
2021/04/20 09:14:27.234976523 Failed to run system command:
2021/04/20 09:14:27.234980743
2021/04/20 09:14:27.235009739 '/opt/R/4.0.2/lib/R/bin/R' --vanilla CMD INSTALL --preclean '/opt/rstudio-connect/mnt/tmp/Rtmp5fBl45/credentials' --library='/opt/rstudio-connect/mnt/app/packrat/lib/x86_64-pc-linux-gnu/4.0.2' --install-tests --no-docs --no-multiarch --no-demo
2021/04/20 09:14:27.235035739
2021/04/20 09:14:27.235066940 The command failed with output:
2021/04/20 09:14:27.235070376 * installing *source* package ‘credentials’ ...
2021/04/20 09:14:27.235098316 ** package ‘credentials’ successfully unpacked and MD5 sums checked
2021/04/20 09:14:27.235102006 ** using staged installation
2021/04/20 09:14:27.235128333 ** R
2021/04/20 09:14:27.235132053 ** inst
2021/04/20 09:14:27.235158977 ** byte-compile and prepare package for lazy loading
2021/04/20 09:14:27.235162227 ** help
2021/04/20 09:14:27.235188930 *** installing help indices
2021/04/20 09:14:27.235192000 ** building package indices
2021/04/20 09:14:27.235218800 ** installing vignettes
2021/04/20 09:14:27.235221890 ** testing if installed package can be loaded from temporary location
2021/04/20 09:14:27.235271267 error: could not lock config file /home/rstudio-connect/.gitconfig: Permission denied
2021/04/20 09:14:27.235275537 Error: package or namespace load failed for ‘credentials’:
2021/04/20 09:14:27.235303420 .onLoad failed in loadNamespace() for 'credentials', details:
2021/04/20 09:14:27.235306587 call: NULL
2021/04/20 09:14:27.235333547 error: Failed to call 'git config --global credential.helper cache'
2021/04/20 09:14:27.235336587 Error: loading failed
2021/04/20 09:14:27.235363554 Execution halted
2021/04/20 09:14:27.235366444 ERROR: loading failed
2021/04/20 09:14:27.235393507 * removing ‘/opt/rstudio-connect/mnt/app/packrat/lib/x86_64-pc-linux-gnu/4.0.2/credentials’
I'm not entirely sure still of quite how/why credentials
is being pulled into one of our applications which is being deployed into our RStudio Connect server... and I am digging into that - see some notes on rstudio/rsconnect#505
However, I was also wondering if credentials
would be interested in a PR which would allow credentials
to fail with warnings rather than errors in onLoad
Line 3 in 17eaef8
I naively ran remotes::install_github("ropensci/credentials")
Currently, renv
is failing R CMD check
on CRAN's r-oldrel-macos machine:
https://www.r-project.org/nosvn/R.check/r-oldrel-macos-x86_64/renv-00check.html
> renv:::renv_tests_init()
xcodebuild: error: SDK "/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk" cannot be located.
git: error: unable to find utility "git", not a developer tool or in PATH
xcodebuild: error: SDK "/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk" cannot be located.
git: error: unable to find utility "git", not a developer tool or in PATH
Error: (converted from warning) .onLoad failed in loadNamespace() for 'credentials', details:
call: NULL
error: Failed to call 'git help -a'
Execution halted
It looks like the credentials
package is trying to use git
on startup, and that is failing?
I suspect that this needs to be fixed on the CRAN side (why aren't command line tools installed on that machine?) but figured it would be worth filing here for posterity since the issue may effect users who haven't installed command line tools on their machine.
It looks like the error message I'm receiving is different than previous posts. Please see the line regarding "unused arguments".
$ R CMD INSTALL credentials_1.3.0.tar.gz
* installing to library ‘R/x86_64-pc-linux-gnu-library/3.5’
* installing *source* package ‘credentials’ ...
** package ‘credentials’ successfully unpacked and MD5 sums checked
** R
** inst
** byte-compile and prepare package for lazy loading
** help
*** installing help indices
** building package indices
** installing vignettes
** testing if installed package can be loaded
Error: package or namespace load failed for ‘credentials’:
.onLoad failed in loadNamespace() for 'credentials', details:
call: sys::exec_wait(git, command, std_out = outcon, std_err = verbose,
error: unused arguments (std_in = input, timeout = timeout)
Error: loading failed
Execution halted
ERROR: loading failed
* removing ‘R/x86_64-pc-linux-gnu-library/3.5/credentials’
Here is the output from sessionInfo()
R version 3.5.3 (2019-03-11)
Platform: x86_64-pc-linux-gnu (64-bit)
Running under: Red Hat Enterprise Linux Server 7.9 (Maipo)
Matrix products: default
BLAS: /opt/R/R-3.5.3/lib64/R/lib/libRblas.so
LAPACK: /opt/R/R-3.5.3/lib64/R/lib/libRlapack.so
locale:
[1] LC_CTYPE=en_US.UTF-8 LC_NUMERIC=C LC_TIME=en_US.UTF-8 LC_COLLATE=en_US.UTF-8 LC_MONETARY=en_US.UTF-8
[6] LC_MESSAGES=en_US.UTF-8 LC_PAPER=en_US.UTF-8 LC_NAME=C LC_ADDRESS=C LC_TELEPHONE=C
[11] LC_MEASUREMENT=en_US.UTF-8 LC_IDENTIFICATION=C
attached base packages:
[1] stats graphics grDevices utils datasets methods base
loaded via a namespace (and not attached):
[1] compiler_3.5.3 tools_3.5.3 renv_0.14.0
The master
branch of this repository will soon be renamed to main
, as part of a coordinated change across several GitHub organizations (including, but not limited to: tidyverse, r-lib, tidymodels, and sol-eng). We anticipate this will happen by the end of September 2021.
That will be preceded by a release of the usethis package, which will gain some functionality around detecting and adapting to a renamed default branch. There will also be a blog post at the time of this master
--> main
change.
The purpose of this issue is to:
message id: euphoric_snowdog
Some but not all R packages which use git credentials are hard-coded to expect tokens to be stored as GITHUB_PAT
only. The official GitHub cli now only accepts tokens stored as GITHUB_TOKEN
. GitHub should be granted the authority here to specify token nomenclature, so it would be good if GITHUB_TOKEN
worked in all credentials
processes.
Currently, ssh_keygen()
creates an RSA key with SHA-1, which is not allowed now. See this Github blog.
This might cause error in usethis::use_github_release()
(r-lib/usethis#1634).
Error in libgit2::git_remote_fetch :
ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.
Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.
I am seeing the following error message when setting my credentials for a private GitLab instance from my company Windows laptop:
credentials::git_credential_ask("https://gitlab.private.com")
#> fatal: credential-cache unavailable; no unix socket support
#> $protocol
#> [1] "https"
#> $host
#> [1] "gitlab.private.com"
#> $username
#> [1] "My.Username"
#> $password
#> [1] "XXXXXXXXXXXXXXXXXX"
#> attr(,"class")
#> [1] "git_credential"
I get that fatal error message but it does retrieve the correct credentials.
My credential helper is store (credential-manager), not cache:
credentials::credential_helper_get()
#> [1] "manager"
Any idea why it complains about the credential-cache when my credential helper is the Windows Credential Manager?
Note that I originally found this issue when trying to use gert. Any operation that requires authentication showed the same fatal error message about the credential-cache and failed to retrieve my credentials, thus prompting me to enter my credentials every time.
I do not see this behaviour in my company Mac laptop and everything works fine there.
I am using credentials::set_github_pat()
on AWS-Lightsail (Ubuntu, personal User) and it works basically fine.
However, when I restart the instance, RStudio asks me again for PW/User.
Also if I run credentials::set_github_pat()
after restart, I am getting asked for the PAT again.
Is there a way around this and set the PAT permanently? What could be the issue?
Edit: Also writing credentials::set_github_pat()
into .Renviron as recommended in this blogpost https://ropensci.org/blog/2020/07/07/github-pat/ doesn't solve this and instead leads to the following error msg. in RStudioServer after a reboot.
usethis has a git_sitrep()
function that reveals a lot about a user's Git setup, for diagnostic and troubleshooting purposes. In the past, this revealed info re: the git2r outlook.
Since usethis is shifting away from git2r in favour of gert + credentials, I want to reveal similar info. gert::libgit2_config()
covers gert pretty well.
I'd like to include similar info from credentials.
Can we take the smarts in .onAttach()
and move them into an actual exported function that other packages can call?
https://github.com/r-lib/credentials/blob/master/R/onattach.R
I'd love to get my hands on some of this info programmatically:
> library(credentials)
Found git version 2.24.3 (Apple Git-128)
Supported HTTPS credential helpers: cache, store
Found OpenSSH_8.1p1, LibreSSL 2.7.3
Default SSH key: /Users/jenny/.ssh/id_rsa
With recent git versions on Linux and Windows we see a timeout (maybe due to user prompt)
> ### Name: credential_api
> ### Title: Retrieve and store git HTTPS credentials
> ### Aliases: credential_api credential_fill credential_approve
> ### credential_reject
>
> ### ** Examples
>
> ## No test:
> # Insert example cred
> example <- list(protocol = "https", host = "example.org",
+ username = "test", password = "secret")
> credential_approve(example)
Error: Error: Program 'git' terminated (timeout reached: 10.00sec)
I'm trying to install this package on a system for another user:
echo 'install.packages("credentials")' | sudo -u some_other_user R --no-save
This causes the following error to occur:
warning: unable to access '/home/jeff/.config/git/config': Permission denied
error: could not lock config file /home/jeff/.gitconfig: Permission denied
Error: package or namespace load failed for ‘credentials’:
.onLoad failed in loadNamespace() for 'credentials', details:
call: NULL
error: Failed to call 'git config --global credential.helper cache'
Error: loading failed
Execution halted
ERROR: loading failed
I see that the error is occurring here where we set the global user git config to cache credentials: https://github.com/r-lib/credentials/blob/master/R/onattach.R#L22.
I can see it being useful to have this behaviour for the common user but I don't think it's necessarily desirable all the time. Could a flag be added to disable this behaviour?
Trying to update GITHUB_PAT
using credentials 1.3.2
, but I am getting curious behaviour.
> library(credentials)
Found git version 2.24.0
Supported HTTPS credential helpers: cache, store
Found OpenSSH_8.6p1, LibreSSL 3.3.6
Default SSH key: /Users/{user}/.ssh/id_rsa
> git_credential_ask()
$protocol
[1] "https"
$host
[1] "github.com"
$username
[1] "..."
$password
[1] "ghp_......."
attr(,"class")
[1] "git_credential"
> git_credential_update()
error: cannot run rpostback-askpass: No such file or directory
fatal: could not read Username for 'https://github.com': terminal prompts disabled
Error: Failed to call 'git credential fill'
> git_credential_ask()
error: cannot run rpostback-askpass: No such file or directory
fatal: could not read Username for 'https://github.com': terminal prompts disabled
Error: Failed to call 'git credential fill'
> set_github_pat()
If prompted for GitHub credentials, enter your PAT in the password field
/Users/{user}/Library/R/x86_64/4.2/library/credentials/ask_token.sh: line 3: exec: rpostback-askpass: not found
error: unable to read askpass response from '/Users/{user}/Library/R/x86_64/4.2/library/credentials/ask_token.sh'
fatal: could not read Password for 'https://[email protected]': terminal prompts disabled
Error: Failed to call 'git credential fill'
The first time git_credential_ask()
asks for my local user password to unlock osxkeychain
, and produces the expected result.
I tried the first two solutions in https://stackoverflow.com/questions/32232655/go-get-results-in-terminal-prompts-disabled-error-for-github-private-repo, but no luck. Happens on two different macs, both running OSX 12.6.
Appreciate any ideas that could help.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.