svnhttpsgnupggpg-agent

Subversion HTTPS password caching using GPG-Agent?


I am using the Subversion client (version 1.9.5 r1770682, installed from the default package repository) on a Debian Stretch machine, to which I only have SSH access. I am connecting to a Subversion repository via HTTPS and would like to avoid having to re-type my password every time I perform an svn up or svn ci command. I would also like to avoid having to store the password on disk as plaintext.

The SVN Book suggests that I should be able to use GPG-Agent as a means of caching my password. Although svn --version reports that the GPG-Agent authentication credential cache should be available, I am having some trouble getting it to work.

With regard to GPG, I have created a GPG key pair, have added export GPG_TTY=$(tty) to my .profile file, and have verified that GPG works by encrypting and decrypting a piece of text.

With regard to Subversion, in my .subversion/config file, I have set the following:

$ grep '^[^#]' < .subversion/config
[auth]
password-stores = gpg-agent
[helpers]
[tunnels]
[miscellany]
[auto-props]
[working-copy]

In my .subversion/servers file, I have set the following:

$ grep '^[^#]' < .subversion/servers
[groups]
[global]
store-passwords = yes
store-plaintext-passwords = no

When I perform an svn command, however, no passwords are cached. Does anyone have any suggestions as to what I may be doing wrong? Has anyone used GPG-Agent successfully for caching HTTPS passwords? (Perhaps this credential cache is only intended for SVN+SSH connections?)

Any help would be greatly appreciated.


Solution

  • I finally found a solution to my problem by looking into it once more, starting from the suggestion of Roman above. The comments of the find_gpg_agent_socket function in the Subversion client's GPG-Agent authentication source code indeed explain:

    $GPG_AGENT_INFO takes precedence, if set, otherwise $GNUPGHOME will be used.

    (...)

    For reference GPG_AGENT_INFO consists of 3 : separated fields. The path to the socket, the pid of the gpg-agent process and finally the version of the protocol the agent talks.

    The path to the GPG-Agent socket can easily be found by calling gpgconf --list-dirs agent-socket on the command line. The other two segments of the $GPG_AGENT_INFO variable are not used by the Subversion client, and should thus not necessarily be set.

    I have therefore added the following code at the end of my .profile file:

    export GPG_TTY=$(tty)
    export GPG_AGENT_INFO=`gpgconf --list-dirs agent-socket | tr -d '\n' && echo -n ::`
    

    This sets the $GPG_TTY variable to the current terminal, and the $GPG_AGENT_INFO variable to the GPG-Agent socket, followed by two colon characters (i.e., the format expected by the Subversion source code).

    Subversion seems to cache the repositories' authentication settings in ~/.subversion/auth, so I found it necessary to clear that directory before GPG-Agent would be used correctly:

    rm -rf ~/.subversion/auth
    

    After starting a new session, you should be able to verify that the $GPG_AGENT_INFO variable is set correctly: echo $GPG_AGENT_INFO should output something like /run/user/1000/gnupg/S.gpg-agent:: (where 1000 is the uid of the current user).

    When performing a Subversion command, for example svn up, your password will be prompted the first time:

    Updating '.':
    Enter your Subversion password for <https://example.com:443> Subversion Repository
    Password for 'username': :
    At revision 123.
    

    When performing a second Subversion command for the same repository for some time afterwards, Subversion should use the password cached by GPG-Agent:

    Updating '.':
    At revision 123.
    

    Edit: I have the impression that, when using a repository for the first time (i.e., when it is not yet present in Subversion's cache), the password is only correctly saved by GPG-Agent after entering it twice.