When using the Secret Service credential store, if the keyring is locked at the time when I run a Git operation then GCM deletes the credential from the keyring and fails to authenticate with the remote

[gaazkam]

Which version of GCM are you using?

Git Credential Manager version 2.0.696+4365b917da (Ubuntu 20.04.4 LTS on VirtualBox, almost fresh installation)

As per your instructions https://github.com/GitCredentialManager/git-credential-manager/blob/main/docs/credstores.md I instructed GCM to use the freedesktop.org Secret Service API as its credential store.

This is how I set up GCM to test the issue described here:

sudo dpkg -i Downloads/gcmcore-linux_amd64.2.0.696.deb
git-credential-manager-core configure
git config --global user.name gaazkam
git config --global user.email "26407962+gaazkam@users.noreply.github.com"
git config --global credential.credentialStore secretservice
git clone https://github.com/gaazkam/mon.git
cd mon
git push

After the last command, as expected, I had to log in into Github and a keyring was created holding the credentials to my Github account.

Problems described below start when the keyring gets locked (eg because I reboot the system; note that the login keyring does not get unlocked on login if the system is set to automatic login, without having to enter the password).

Which Git host provider are you trying to connect to?

• Azure DevOps
• Azure DevOps Server (TFS/on-prem)
• GitHub
• GitHub Enterprise
• Bitbucket
• Other - please describe

Can you access the remote repository directly in the browser using the remote URL?

• Yes
• No, I get a permission error
• No, for a different reason - please describe

---

[Azure DevOps only] What format is your remote URL?

• Not applicable
• https://dev.azure.com/`{org}`/...
• https://{org}@dev.azure.com/{org}/...
• https://{org}.visualstudio.com/...

[Azure DevOps only] If the account picker shows more than one identity as you authenticate, check that you selected the same one that has access on the web.

• Not applicable
• I only see one identity
• I checked each identity and none worked

---

Expected behavior

If the keyring that holds the credentials to my Github account is locked at the time when GCM needs to access it then a popup shows asking me to enter the password to unlock this keyring. When I enter the correct password I am authenticated and my Git operation completes succesfully. The credential is not deleted.

Actual behavior

If the keyring that holds the credentials to my Github account is locked at the time when GCM needs to access it then a popup shows asking me to enter the password to unlock this keyring. When I enter the correct password the keyring gets unlocked, however, the credential is immediately deleted from this keyring and my Git operation fails with the following error:

remote: No anonymous write access.
fatal: Authentication failed for 'https://github.com/gaazkam/mon.git/'

That the credential is deleted from the keyring can be confirmed by launching the Passwords and Keys tool in ubuntu and keeping it open next to the terminal emulator. If git push is then run in the terminal emulator and the correct password is entered into the popup then this is what happens in the Passwords and Keys window: the keyring is unlocked, the credential to my Github account is shown very briefly but then soon removed and the message 'It looks like this collection is empty' is shown.

Subsequent attempts to run the Git operation launch the browser and ask me to log into my Github account; when this is done the credential is saved to the keyring and everything works fine until the next time when the keyring is locked when GCM needs to access it.

If, at the time when GCM needs to access the keyring it is not locked then the problem described above does not happen. Instead, at that situation, as expected, I am authenticated, my Git operation completes succesfully and no credentials are deleted from the keyring.

Logs

m@m-VirtualBox:~$ export GCM_TRACE=1
m@m-VirtualBox:~$ export GIT_TRACE=1
m@m-VirtualBox:~$ cd mon
m@m-VirtualBox:~/mon$ git push
10:27:02.657020 git.c:439               trace: built-in: git push
10:27:02.661387 run-command.c:663       trace: run_command: GIT_DIR=.git git-remote-https origin https://github.com/gaazkam/mon.git
10:27:03.241135 run-command.c:663       trace: run_command: '/usr/local/share/gcm-core/git-credential-manager-core get'
10:27:03.868554 ...re/Application.cs:95 trace: [RunInternalAsync] Version: 2.0.696.25923
10:27:03.872331 ...re/Application.cs:96 trace: [RunInternalAsync] Runtime: .NET 6.0.3
10:27:03.872536 ...re/Application.cs:97 trace: [RunInternalAsync] Platform: Linux (x86-64)
10:27:03.872591 ...re/Application.cs:98 trace: [RunInternalAsync] OSVersion: Linux m-VirtualBox 5.13.0-41-generic #46~20.04.1-Ubuntu SMP Wed Apr 20 13:16:21 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
10:27:03.873047 ...re/Application.cs:99 trace: [RunInternalAsync] AppPath: /usr/local/share/gcm-core/git-credential-manager-core
10:27:03.873135 ...e/Application.cs:100 trace: [RunInternalAsync] Arguments: get
10:27:04.073771 ...GitCommandBase.cs:33 trace: [ExecuteAsync] Start 'get' command...
10:27:04.096547 ...GitCommandBase.cs:47 trace: [ExecuteAsync] Detecting host provider for input:
10:27:04.099318 ...GitCommandBase.cs:48 trace: [ExecuteAsync] 	protocol=https
10:27:04.099456 ...GitCommandBase.cs:48 trace: [ExecuteAsync] 	host=github.com
10:27:04.194879 ...viderRegistry.cs:149 trace: [GetProviderAsync] Performing auto-detection of host provider.
10:27:04.202265 ...viderRegistry.cs:158 trace: [GetProviderAsync] Auto-detect probe timeout is 2 ms.
10:27:04.208775 ...viderRegistry.cs:166 trace: [GetProviderAsync] Checking against 4 host providers registered with priority 'Normal'.
10:27:04.213750 ...GitCommandBase.cs:50 trace: [ExecuteAsync] Host provider 'GitHub' was selected.
10:27:04.222221 .../HostProvider.cs:126 trace: [GetCredentialAsync] Looking for existing credential in store with service=https://github.com account=...
10:27:11.296076 .../HostProvider.cs:140 trace: [GetCredentialAsync] Existing credential found.
10:27:11.298580 ...GitCommandBase.cs:54 trace: [ExecuteAsync] End 'get' command...
10:27:11.531683 run-command.c:663       trace: run_command: '/usr/local/share/gcm-core/git-credential-manager-core erase'
10:27:11.837155 ...re/Application.cs:95 trace: [RunInternalAsync] Version: 2.0.696.25923
10:27:11.840275 ...re/Application.cs:96 trace: [RunInternalAsync] Runtime: .NET 6.0.3
10:27:11.840370 ...re/Application.cs:97 trace: [RunInternalAsync] Platform: Linux (x86-64)
10:27:11.840392 ...re/Application.cs:98 trace: [RunInternalAsync] OSVersion: Linux m-VirtualBox 5.13.0-41-generic #46~20.04.1-Ubuntu SMP Wed Apr 20 13:16:21 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
10:27:11.840565 ...re/Application.cs:99 trace: [RunInternalAsync] AppPath: /usr/local/share/gcm-core/git-credential-manager-core
10:27:11.840636 ...e/Application.cs:100 trace: [RunInternalAsync] Arguments: erase
10:27:11.989844 ...GitCommandBase.cs:33 trace: [ExecuteAsync] Start 'erase' command...
10:27:12.011502 ...GitCommandBase.cs:47 trace: [ExecuteAsync] Detecting host provider for input:
10:27:12.014696 ...GitCommandBase.cs:48 trace: [ExecuteAsync] 	protocol=https
10:27:12.014811 ...GitCommandBase.cs:48 trace: [ExecuteAsync] 	host=github.com
10:27:12.014864 ...GitCommandBase.cs:48 trace: [ExecuteAsync] 	username=
10:27:12.014880 ...GitCommandBase.cs:48 trace: [ExecuteAsync] 	password=********
10:27:12.074374 ...viderRegistry.cs:149 trace: [GetProviderAsync] Performing auto-detection of host provider.
10:27:12.080330 ...viderRegistry.cs:158 trace: [GetProviderAsync] Auto-detect probe timeout is 2 ms.
10:27:12.084111 ...viderRegistry.cs:166 trace: [GetProviderAsync] Checking against 4 host providers registered with priority 'Normal'.
10:27:12.086713 ...GitCommandBase.cs:50 trace: [ExecuteAsync] Host provider 'GitHub' was selected.
10:27:12.088833 .../HostProvider.cs:173 trace: [EraseCredentialAsync] Erasing stored credential in store with service=https://github.com account=...
10:27:12.168989 .../HostProvider.cs:176 trace: [EraseCredentialAsync] Credential was successfully erased.
10:27:12.169133 ...GitCommandBase.cs:54 trace: [ExecuteAsync] End 'erase' command...
remote: No anonymous write access.
fatal: Authentication failed for 'https://github.com/gaazkam/mon.git/'

[ldennington]

Thank you for reporting this - I'm planning to investigate next week. In the meantime, the suggested workaround is switching to GPG or plaintext.

[Nantris]

Any update on this? We've been struggling with this for weeks but only just found this issue today.

[ldennington]

Apologies, no update as of right now. GitHub is off next week, but I will prioritize this item when we return (the week of July 11th).

[Nantris]

@ldennington thanks so much for the update! Any idea about an ETA for this yet, or too soon to say?

[ldennington]

@slapbox - thanks for the reminder! I've just finished up another project so will make this top priority today.

[ldennington]

@slapbox - would you mind sending the contents of your global Git config file? I'm wondering if something there is the issue.

On my end, I've set up Secret Service on my Fedora VM and manually locked the keyring. However, whenever I attempt to interact with my remote repository, I enter my keyring password and the credential is not erased. The command proceeds as expected. My trace logs:

15:10:33.573455 git.c:458               trace: built-in: git push
15:10:33.573697 run-command.c:654       trace: run_command: GIT_DIR=.git git remote-https origin https://github.com/ldennington/ac_tutorial_cocoapods_second_copy.git
15:10:33.575693 git.c:745               trace: exec: git-remote-https origin https://github.com/ldennington/ac_tutorial_cocoapods_second_copy.git
15:10:33.575776 run-command.c:654       trace: run_command: git-remote-https origin https://github.com/ldennington/ac_tutorial_cocoapods_second_copy.git
15:10:33.782419 run-command.c:654       trace: run_command: '/usr/local/share/gcm-core/git-credential-manager-core get'
15:10:33.917148 ...re/Application.cs:95 trace: [RunInternalAsync] Version: 2.0.788.2530
15:10:33.918392 ...re/Application.cs:96 trace: [RunInternalAsync] Runtime: .NET 6.0.7
15:10:33.918448 ...re/Application.cs:97 trace: [RunInternalAsync] Platform: Linux (x86-64)
15:10:33.918484 ...re/Application.cs:98 trace: [RunInternalAsync] OSVersion: Linux fedora 5.18.10-100.fc35.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jul 7 17:41:37 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
15:10:33.918561 ...re/Application.cs:99 trace: [RunInternalAsync] AppPath: /usr/local/share/gcm-core/git-credential-manager-core
15:10:33.918617 ...e/Application.cs:100 trace: [RunInternalAsync] Arguments: get
15:10:33.976313 ...GitCommandBase.cs:33 trace: [ExecuteAsync] Start 'get' command...
15:10:33.988601 ...GitCommandBase.cs:47 trace: [ExecuteAsync] Detecting host provider for input:
15:10:33.989537 ...GitCommandBase.cs:48 trace: [ExecuteAsync] 	protocol=https
15:10:33.989608 ...GitCommandBase.cs:48 trace: [ExecuteAsync] 	host=github.com
15:10:34.016402 ...viderRegistry.cs:149 trace: [GetProviderAsync] Performing auto-detection of host provider.
15:10:34.019882 ...viderRegistry.cs:162 trace: [GetProviderAsync] Auto-detect probe timeout is 2 ms.
15:10:34.021409 ...viderRegistry.cs:170 trace: [GetProviderAsync] Checking against 4 host providers registered with priority 'Normal'.
15:10:34.022451 ...GitCommandBase.cs:50 trace: [ExecuteAsync] Host provider 'GitHub' was selected.
15:10:34.024278 .../HostProvider.cs:126 trace: [GetCredentialAsync] Looking for existing credential in store with service=https://github.com account=...
15:10:39.823363 .../HostProvider.cs:140 trace: [GetCredentialAsync] Existing credential found.
15:10:39.824316 ...GitCommandBase.cs:54 trace: [ExecuteAsync] End 'get' command...
15:10:39.970213 run-command.c:654       trace: run_command: '/usr/local/share/gcm-core/git-credential-manager-core store'
15:10:40.090069 ...re/Application.cs:95 trace: [RunInternalAsync] Version: 2.0.788.2530
15:10:40.091397 ...re/Application.cs:96 trace: [RunInternalAsync] Runtime: .NET 6.0.7
15:10:40.091454 ...re/Application.cs:97 trace: [RunInternalAsync] Platform: Linux (x86-64)
15:10:40.091490 ...re/Application.cs:98 trace: [RunInternalAsync] OSVersion: Linux fedora 5.18.10-100.fc35.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jul 7 17:41:37 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
15:10:40.091568 ...re/Application.cs:99 trace: [RunInternalAsync] AppPath: /usr/local/share/gcm-core/git-credential-manager-core
15:10:40.091626 ...e/Application.cs:100 trace: [RunInternalAsync] Arguments: store
15:10:40.150685 ...GitCommandBase.cs:33 trace: [ExecuteAsync] Start 'store' command...
15:10:40.165253 ...GitCommandBase.cs:47 trace: [ExecuteAsync] Detecting host provider for input:
15:10:40.166472 ...GitCommandBase.cs:48 trace: [ExecuteAsync] 	protocol=https
15:10:40.166626 ...GitCommandBase.cs:48 trace: [ExecuteAsync] 	host=github.com
15:10:40.166689 ...GitCommandBase.cs:48 trace: [ExecuteAsync] 	username=ldennington
15:10:40.166744 ...GitCommandBase.cs:48 trace: [ExecuteAsync] 	password=********
15:10:40.196194 ...viderRegistry.cs:149 trace: [GetProviderAsync] Performing auto-detection of host provider.
15:10:40.199527 ...viderRegistry.cs:162 trace: [GetProviderAsync] Auto-detect probe timeout is 2 ms.
15:10:40.201078 ...viderRegistry.cs:170 trace: [GetProviderAsync] Checking against 4 host providers registered with priority 'Normal'.
15:10:40.202124 ...GitCommandBase.cs:50 trace: [ExecuteAsync] Host provider 'GitHub' was selected.
15:10:40.202897 .../HostProvider.cs:160 trace: [StoreCredentialAsync] Storing credential with service=https://github.com account=ldennington...
15:10:40.236043 .../HostProvider.cs:162 trace: [StoreCredentialAsync] Credential was successfully stored.
15:10:40.236154 ...GitCommandBase.cs:54 trace: [ExecuteAsync] End 'store' command...
15:10:40.242426 run-command.c:654       trace: run_command: git send-pack --stateless-rpc --helper-status --thin --progress https://github.com/ldennington/ac_tutorial_cocoapods_second_copy.git/ --stdin
15:10:40.245046 git.c:458               trace: built-in: git send-pack --stateless-rpc --helper-status --thin --progress https://github.com/ldennington/ac_tutorial_cocoapods_second_copy.git/ --stdin
15:10:40.245513 run-command.c:654       trace: run_command: git pack-objects --all-progress-implied --revs --stdout --thin --delta-base-offset --progress
15:10:40.247064 git.c:458               trace: built-in: git pack-objects --all-progress-implied --revs --stdout --thin --delta-base-offset --progress

[Nantris]

Thanks for the follow-up @ldennington!

The file looks like this on my machine:

[user]
        email = redacted
        name = redacted
[credential]
        helper = /usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret
        helper = 
        helper = /usr/local/share/gcm-core/git-credential-manager-core
        credentialStore = secretservice
[credential "https://dev.azure.com"]
        useHttpPath = true

I wonder if that blank line for helper = might have something to do with it?

Oddly, when the keyring is unlocked automatically at startup it doesn't necessarily preclude the possibility of this issue occurring. But then closing and re-opening (locking and unlocking) the keyring manually seems to prevent the issue. It seems like there's some other factor in the issue that I'm not understanding yet.

---

Edit: And actually, I just discovered that, at least in this attempt, when I exited out of the GCM window that asks you to sign into Github and try git pull again, the second time it seems to work as intended, even if I did not enter my credentials anew. Perhaps this is really just a user interface bug? Any thoughts?

[ldennington]

Thanks for sharing @slapbox! The blank line is actually ok - see the third paragraph of this section on credential helpers for details. Overall, that config looks ok to me.

If I'm understanding correctly, the reason I wasn't able to repro is that I was manually locking the key ring? That's super interesting. Also super interesting that it succeeds on the second try. I still think this is an issue with either Git or GCM and will continue to investigate.

[Nantris]

Thanks for investigating this and for that link on credential helpers!

If I'm understanding correctly, the reason I wasn't able to repro is that I was manually locking the key ring?

I don't know if that's accurate, because my first attempt to workaround this issue was to set the wallet manager appear at login to remind me to manually unlock before running git pull, and when I did manually unlock, the issue still occurred. I'm not really sure what to make of that finding.

[Nantris]

Today when I ran git pull it first said:

remote: Repository not found.
fatal: Authentication failed for ....

Then when I ran it again GCM popped up. When I exited GCM using the X at the top-right of the window the console shows this message, and then immediately proceeds to git pull successfully (without me having to enter git pull again)

fatal: helper error (255): User cancelled dialog.

After cancelling the dialog, it seems that it just works. I'm increasingly convinced this is some sort of workflow bug, not a loss of credentials, because certainly the credentials were still stored as the pull succeeded. It seems like GCM doesn't know it has the credentials though.

---

Edit: When running git push a bit later, it pops up the GCM window again. And after exiting it, again the operation completes successfully once the window closes.

[Jackenmen]

I've been running into the same problem for a long while, finally found the time to figure out what it is and found this issue, yay 😄

I don't know if it's of any help but here's the output I'm getting:

• Locked after logging into my user account:

05:18:15.861385 git.c:460               trace: built-in: git clone https://gitlab.com/Jackenmen/private-project
Cloning into 'private-project'...
05:18:15.864503 run-command.c:655       trace: run_command: git remote-https origin https://gitlab.com/Jackenmen/private-project
05:18:15.866028 git.c:750               trace: exec: git-remote-https origin https://gitlab.com/Jackenmen/private-project
05:18:15.866072 run-command.c:655       trace: run_command: git-remote-https origin https://gitlab.com/Jackenmen/private-project
05:18:16.346943 run-command.c:655       trace: run_command: '/usr/bin/env git-credential-manager-core get'
warning: git-credential-manager-core was renamed to git-credential-manager
warning: see https://aka.ms/gcm/rename for more information
05:18:16.537620 ...re/Application.cs:95 trace: [RunInternalAsync] Version: 2.0.877.50119
05:18:16.538257 ...re/Application.cs:96 trace: [RunInternalAsync] Runtime: .NET 6.0.10
05:18:16.538269 ...re/Application.cs:97 trace: [RunInternalAsync] Platform: Linux (x86-64)
05:18:16.538274 ...re/Application.cs:98 trace: [RunInternalAsync] OSVersion: Linux JakubUbuntu2204PC 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
05:18:16.538359 ...re/Application.cs:99 trace: [RunInternalAsync] AppPath: /usr/local/bin/git-credential-manager-core
05:18:16.538459 ...e/Application.cs:100 trace: [RunInternalAsync] InstallDir: /usr/local/share/gcm-core
05:18:16.538510 ...e/Application.cs:101 trace: [RunInternalAsync] Arguments: get
05:18:16.591916 ...GitCommandBase.cs:33 trace: [ExecuteAsync] Start 'get' command...
05:18:16.608379 ...GitCommandBase.cs:47 trace: [ExecuteAsync] Detecting host provider for input:
05:18:16.611281 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   protocol=https
05:18:16.611330 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   host=gitlab.com
05:18:16.622655 ...viderRegistry.cs:149 trace: [GetProviderAsync] Performing auto-detection of host provider.
05:18:16.625819 ...viderRegistry.cs:162 trace: [GetProviderAsync] Auto-detect probe timeout is 2 ms.
05:18:16.627883 ...viderRegistry.cs:170 trace: [GetProviderAsync] Checking against 4 host providers registered with priority 'Normal'.
05:18:16.629274 ...GitCommandBase.cs:50 trace: [ExecuteAsync] Host provider 'GitLab' was selected.
05:18:16.693623 ...nds/GetCommand.cs:39 trace: [ExecuteInternalAsync] Writing credentials to output:
05:18:16.693657 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync]   protocol=https
05:18:16.693670 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync]   host=gitlab.com
05:18:16.693676 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync]   username=
05:18:16.693682 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync]   password=********
05:18:16.694141 ...GitCommandBase.cs:54 trace: [ExecuteAsync] End 'get' command...
05:18:16.897664 run-command.c:655       trace: run_command: '/usr/bin/env git-credential-manager-core erase'
warning: git-credential-manager-core was renamed to git-credential-manager
warning: see https://aka.ms/gcm/rename for more information
05:18:17.136011 ...re/Application.cs:95 trace: [RunInternalAsync] Version: 2.0.877.50119
05:18:17.136644 ...re/Application.cs:96 trace: [RunInternalAsync] Runtime: .NET 6.0.10
05:18:17.136656 ...re/Application.cs:97 trace: [RunInternalAsync] Platform: Linux (x86-64)
05:18:17.136662 ...re/Application.cs:98 trace: [RunInternalAsync] OSVersion: Linux JakubUbuntu2204PC 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
05:18:17.136783 ...re/Application.cs:99 trace: [RunInternalAsync] AppPath: /usr/local/bin/git-credential-manager-core
05:18:17.136898 ...e/Application.cs:100 trace: [RunInternalAsync] InstallDir: /usr/local/share/gcm-core
05:18:17.136937 ...e/Application.cs:101 trace: [RunInternalAsync] Arguments: erase
05:18:17.186526 ...GitCommandBase.cs:33 trace: [ExecuteAsync] Start 'erase' command...
05:18:17.196142 ...GitCommandBase.cs:47 trace: [ExecuteAsync] Detecting host provider for input:
05:18:17.199069 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   protocol=https
05:18:17.199104 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   host=gitlab.com
05:18:17.199112 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   username=
05:18:17.199133 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   password=********
05:18:17.210118 ...viderRegistry.cs:149 trace: [GetProviderAsync] Performing auto-detection of host provider.
05:18:17.213331 ...viderRegistry.cs:162 trace: [GetProviderAsync] Auto-detect probe timeout is 2 ms.
05:18:17.215371 ...viderRegistry.cs:170 trace: [GetProviderAsync] Checking against 4 host providers registered with priority 'Normal'.
05:18:17.216896 ...GitCommandBase.cs:50 trace: [ExecuteAsync] Host provider 'GitLab' was selected.
05:18:17.266831 .../HostProvider.cs:173 trace: [EraseCredentialAsync] Erasing stored credential in store with service=https://gitlab.com account=...
05:18:17.281892 .../HostProvider.cs:176 trace: [EraseCredentialAsync] Credential was successfully erased.
05:18:17.282023 ...GitCommandBase.cs:54 trace: [ExecuteAsync] End 'erase' command...
remote: HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See https://gitlab.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied
fatal: Authentication failed for 'https://gitlab.com/Jackenmen/private-project.git/'

• Unlocked:

❯ GCM_TRACE=1 GIT_TRACE=1 git clone https://gitlab.com/Jackenmen/private-project
05:20:29.583791 git.c:460               trace: built-in: git clone https://gitlab.com/Jackenmen/private-project
Cloning into 'private-project'...
05:20:29.588703 run-command.c:655       trace: run_command: git remote-https origin https://gitlab.com/Jackenmen/private-project
05:20:29.591653 git.c:750               trace: exec: git-remote-https origin https://gitlab.com/Jackenmen/private-project
05:20:29.591752 run-command.c:655       trace: run_command: git-remote-https origin https://gitlab.com/Jackenmen/private-project
05:20:30.124220 run-command.c:655       trace: run_command: '/usr/bin/env git-credential-manager get'
05:20:30.300600 ...re/Application.cs:95 trace: [RunInternalAsync] Version: 2.0.877.50119
05:20:30.302030 ...re/Application.cs:96 trace: [RunInternalAsync] Runtime: .NET 6.0.10
05:20:30.302058 ...re/Application.cs:97 trace: [RunInternalAsync] Platform: Linux (x86-64)
05:20:30.302076 ...re/Application.cs:98 trace: [RunInternalAsync] OSVersion: Linux JakubUbuntu2204PC 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
05:20:30.302188 ...re/Application.cs:99 trace: [RunInternalAsync] AppPath: /usr/local/bin/git-credential-manager
05:20:30.302270 ...e/Application.cs:100 trace: [RunInternalAsync] InstallDir: /usr/local/share/gcm-core
05:20:30.302308 ...e/Application.cs:101 trace: [RunInternalAsync] Arguments: get
05:20:30.351108 ...GitCommandBase.cs:33 trace: [ExecuteAsync] Start 'get' command...
05:20:30.364405 ...GitCommandBase.cs:47 trace: [ExecuteAsync] Detecting host provider for input:
05:20:30.367708 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   protocol=https
05:20:30.367773 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   host=gitlab.com
05:20:30.378203 ...viderRegistry.cs:149 trace: [GetProviderAsync] Performing auto-detection of host provider.
05:20:30.382079 ...viderRegistry.cs:162 trace: [GetProviderAsync] Auto-detect probe timeout is 2 ms.
05:20:30.384886 ...viderRegistry.cs:170 trace: [GetProviderAsync] Checking against 4 host providers registered with priority 'Normal'.
05:20:30.386105 ...GitCommandBase.cs:50 trace: [ExecuteAsync] Host provider 'GitLab' was selected.
05:20:30.434712 ...nticationBase.cs:145 trace: [TryFindHelperCommand] Using default UI helper: 'GitLab.UI'.
05:20:30.434748 ...nticationBase.cs:176 trace: [TryFindHelperCommand] Found in-box native UI helper: '/usr/local/share/gcm-core/GitLab.UI'
05:20:30.436270 ...enticationBase.cs:40 trace: [InvokeHelperAsync] Starting helper process: /usr/local/share/gcm-core/GitLab.UI prompt --url https://gitlab.com/ --basic --browser --pat
05:20:32.926706 ...pClientFactory.cs:58 trace: [CreateClient] Creating new HTTP client instance...
info: please complete authentication in your browser...
05:20:35.924969 ...bHostProvider.cs:207 trace: [GetCredentialAsync] Pre-emptively storing OAuth access and refresh tokens...
05:20:35.957727 ...nds/GetCommand.cs:39 trace: [ExecuteInternalAsync] Writing credentials to output:
05:20:35.957769 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync]   protocol=https
05:20:35.957780 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync]   host=gitlab.com
05:20:35.957788 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync]   username=oauth2
05:20:35.957796 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync]   password=********
05:20:35.958338 ...GitCommandBase.cs:54 trace: [ExecuteAsync] End 'get' command...
05:20:36.261194 run-command.c:655       trace: run_command: '/usr/bin/env git-credential-manager store'
05:20:36.533661 ...re/Application.cs:95 trace: [RunInternalAsync] Version: 2.0.877.50119
05:20:36.535467 ...re/Application.cs:96 trace: [RunInternalAsync] Runtime: .NET 6.0.10
05:20:36.535498 ...re/Application.cs:97 trace: [RunInternalAsync] Platform: Linux (x86-64)
05:20:36.535507 ...re/Application.cs:98 trace: [RunInternalAsync] OSVersion: Linux JakubUbuntu2204PC 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
05:20:36.535560 ...re/Application.cs:99 trace: [RunInternalAsync] AppPath: /usr/local/bin/git-credential-manager
05:20:36.535603 ...e/Application.cs:100 trace: [RunInternalAsync] InstallDir: /usr/local/share/gcm-core
05:20:36.535630 ...e/Application.cs:101 trace: [RunInternalAsync] Arguments: store
05:20:36.609465 ...GitCommandBase.cs:33 trace: [ExecuteAsync] Start 'store' command...
05:20:36.635268 ...GitCommandBase.cs:47 trace: [ExecuteAsync] Detecting host provider for input:
05:20:36.639641 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   protocol=https
05:20:36.639716 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   host=gitlab.com
05:20:36.639755 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   username=oauth2
05:20:36.639793 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   password=********
05:20:36.666222 ...viderRegistry.cs:149 trace: [GetProviderAsync] Performing auto-detection of host provider.
05:20:36.706787 ...viderRegistry.cs:162 trace: [GetProviderAsync] Auto-detect probe timeout is 2 ms.
05:20:36.709891 ...viderRegistry.cs:170 trace: [GetProviderAsync] Checking against 4 host providers registered with priority 'Normal'.
05:20:36.713293 ...GitCommandBase.cs:50 trace: [ExecuteAsync] Host provider 'GitLab' was selected.
05:20:36.715785 .../HostProvider.cs:160 trace: [StoreCredentialAsync] Storing credential with service=https://gitlab.com account=oauth2...
05:20:36.785850 .../HostProvider.cs:162 trace: [StoreCredentialAsync] Credential was successfully stored.
05:20:36.785884 ...GitCommandBase.cs:54 trace: [ExecuteAsync] End 'store' command...
warning: redirecting to https://gitlab.com/Jackenmen/private-project.git/
05:20:37.473938 run-command.c:655       trace: run_command: git index-pack --stdin -v --fix-thin '--keep=fetch-pack 66102 on JakubUbuntu2204PC' --check-self-contained-and-connected
remote: Enumerating objects: 67, done.
remote: Counting objects: 100% (67/67), done.
remote: Compressing objects: 100% (66/66), done.
remote: Total 67 (delta 35), reused 0 (delta 0), pack-reused 0
05:20:37.478288 git.c:460               trace: built-in: git index-pack --stdin -v --fix-thin '--keep=fetch-pack 66102 on JakubUbuntu2204PC' --check-self-contained-and-connected
Receiving objects: 100% (67/67), 16.91 KiB | 8.46 MiB/s, done.
Resolving deltas: 100% (35/35), done.
05:20:37.486328 run-command.c:655       trace: run_command: git rev-list --objects --stdin --not --all --quiet --alternate-refs '--progress=Checking connectivity'
05:20:37.488200 git.c:460               trace: built-in: git rev-list --objects --stdin --not --all --quiet --alternate-refs '--progress=Checking connectivity'

• Locked manually:

❯ GCM_TRACE=1 GIT_TRACE=1 git clone https://gitlab.com/Jackenmen/private-project
05:23:16.215089 git.c:460               trace: built-in: git clone https://gitlab.com/Jackenmen/private-project
Cloning into 'private-project'...
05:23:16.217030 run-command.c:655       trace: run_command: git remote-https origin https://gitlab.com/Jackenmen/private-project
05:23:16.218128 git.c:750               trace: exec: git-remote-https origin https://gitlab.com/Jackenmen/private-project
05:23:16.218164 run-command.c:655       trace: run_command: git-remote-https origin https://gitlab.com/Jackenmen/private-project
05:23:16.811627 run-command.c:655       trace: run_command: '/usr/bin/env git-credential-manager get'
05:23:17.029703 ...re/Application.cs:95 trace: [RunInternalAsync] Version: 2.0.877.50119
05:23:17.031169 ...re/Application.cs:96 trace: [RunInternalAsync] Runtime: .NET 6.0.10
05:23:17.031198 ...re/Application.cs:97 trace: [RunInternalAsync] Platform: Linux (x86-64)
05:23:17.031222 ...re/Application.cs:98 trace: [RunInternalAsync] OSVersion: Linux JakubUbuntu2204PC 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
05:23:17.031295 ...re/Application.cs:99 trace: [RunInternalAsync] AppPath: /usr/local/bin/git-credential-manager
05:23:17.031405 ...e/Application.cs:100 trace: [RunInternalAsync] InstallDir: /usr/local/share/gcm-core
05:23:17.031456 ...e/Application.cs:101 trace: [RunInternalAsync] Arguments: get
05:23:17.081578 ...GitCommandBase.cs:33 trace: [ExecuteAsync] Start 'get' command...
05:23:17.096926 ...GitCommandBase.cs:47 trace: [ExecuteAsync] Detecting host provider for input:
05:23:17.099817 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   protocol=https
05:23:17.099857 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   host=gitlab.com
05:23:17.110414 ...viderRegistry.cs:149 trace: [GetProviderAsync] Performing auto-detection of host provider.
05:23:17.113644 ...viderRegistry.cs:162 trace: [GetProviderAsync] Auto-detect probe timeout is 2 ms.
05:23:17.115617 ...viderRegistry.cs:170 trace: [GetProviderAsync] Checking against 4 host providers registered with priority 'Normal'.
05:23:17.117092 ...GitCommandBase.cs:50 trace: [ExecuteAsync] Host provider 'GitLab' was selected.
05:23:17.169502 ...pClientFactory.cs:58 trace: [CreateClient] Creating new HTTP client instance...
05:23:17.759628 ...nds/GetCommand.cs:39 trace: [ExecuteInternalAsync] Writing credentials to output:
05:23:17.759679 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync]   protocol=https
05:23:17.759693 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync]   host=gitlab.com
05:23:17.759710 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync]   username=oauth2
05:23:17.759719 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync]   password=********
05:23:17.760420 ...GitCommandBase.cs:54 trace: [ExecuteAsync] End 'get' command...
05:23:18.273688 run-command.c:655       trace: run_command: '/usr/bin/env git-credential-manager store'
05:23:18.450237 ...re/Application.cs:95 trace: [RunInternalAsync] Version: 2.0.877.50119
05:23:18.451722 ...re/Application.cs:96 trace: [RunInternalAsync] Runtime: .NET 6.0.10
05:23:18.451762 ...re/Application.cs:97 trace: [RunInternalAsync] Platform: Linux (x86-64)
05:23:18.451768 ...re/Application.cs:98 trace: [RunInternalAsync] OSVersion: Linux JakubUbuntu2204PC 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
05:23:18.451879 ...re/Application.cs:99 trace: [RunInternalAsync] AppPath: /usr/local/bin/git-credential-manager
05:23:18.451961 ...e/Application.cs:100 trace: [RunInternalAsync] InstallDir: /usr/local/share/gcm-core
05:23:18.452019 ...e/Application.cs:101 trace: [RunInternalAsync] Arguments: store
05:23:18.503943 ...GitCommandBase.cs:33 trace: [ExecuteAsync] Start 'store' command...
05:23:18.519929 ...GitCommandBase.cs:47 trace: [ExecuteAsync] Detecting host provider for input:
05:23:18.522589 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   protocol=https
05:23:18.522623 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   host=gitlab.com
05:23:18.522629 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   username=oauth2
05:23:18.522650 ...GitCommandBase.cs:48 trace: [ExecuteAsync]   password=********
05:23:18.535983 ...viderRegistry.cs:149 trace: [GetProviderAsync] Performing auto-detection of host provider.
05:23:18.539253 ...viderRegistry.cs:162 trace: [GetProviderAsync] Auto-detect probe timeout is 2 ms.
05:23:18.541469 ...viderRegistry.cs:170 trace: [GetProviderAsync] Checking against 4 host providers registered with priority 'Normal'.
05:23:18.542722 ...GitCommandBase.cs:50 trace: [ExecuteAsync] Host provider 'GitLab' was selected.
05:23:18.543067 .../HostProvider.cs:160 trace: [StoreCredentialAsync] Storing credential with service=https://gitlab.com account=oauth2...
05:23:18.581440 .../HostProvider.cs:162 trace: [StoreCredentialAsync] Credential was successfully stored.
05:23:18.581484 ...GitCommandBase.cs:54 trace: [ExecuteAsync] End 'store' command...
warning: redirecting to https://gitlab.com/Jackenmen/private-project.git/
05:23:19.302561 run-command.c:655       trace: run_command: git index-pack --stdin -v --fix-thin '--keep=fetch-pack 74037 on JakubUbuntu2204PC' --check-self-contained-and-connected
remote: Enumerating objects: 67, done.
remote: Counting objects: 100% (67/67), done.
remote: Compressing objects: 100% (66/66), done.
remote: Total 67 (delta 35), reused 0 (delta 0), pack-reused 0
05:23:19.311852 git.c:460               trace: built-in: git index-pack --stdin -v --fix-thin '--keep=fetch-pack 74037 on JakubUbuntu2204PC' --check-self-contained-and-connected
Receiving objects: 100% (67/67), 16.91 KiB | 2.42 MiB/s, done.
Resolving deltas: 100% (35/35), done.
05:23:19.330308 run-command.c:655       trace: run_command: git rev-list --objects --stdin --not --all --quiet --alternate-refs '--progress=Checking connectivity'
05:23:19.332816 git.c:460               trace: built-in: git rev-list --objects --stdin --not --all --quiet --alternate-refs '--progress=Checking connectivity'

• Output of diagnose command isn't particularly useful due to assertion error:

❯ git credential-manager-core diagnose
Running diagnostics...

 [ OK ] Environment
 [ OK ] File system
 [ OK ] Networking
 [ OK ] Git
  >>>>  Credential storagegit-credential-manager-core: ../egg/egg-secure-memory.c:596: sec_free: Assertion `cell->requested > 0' failed.
error: git-credential-manager-core died of signal 6

[Jackenmen]

I looked a bit more into this and it appears that the problem is related to libsecret having a different format of keys and values in the hashtable when unlocking for the first time since the beginning of the user session (and probably also since the last time user's password was changed if that happened more recently). Here's the output I got by adding some debugging prints (see commit: Jackenmen@d6b8e58) for the secretAttrs hashtable:

❯ echo $'protocol=https\nhost=gitlab.com\n' | GIT_TRACE=1 GCM_TRACE=1 out/shared/Git-Credential-Manager/bin/Debug/net6.0/git-credential-manager get
02:57:02.872916 ...re/Application.cs:95 trace: [RunInternalAsync] Version: 2.0.886.47318
02:57:02.879782 ...re/Application.cs:96 trace: [RunInternalAsync] Runtime: .NET 6.0.12
02:57:02.879808 ...re/Application.cs:97 trace: [RunInternalAsync] Platform: Linux (x86-64)
02:57:02.879817 ...re/Application.cs:98 trace: [RunInternalAsync] OSVersion: Linux JakubUbuntu2204PC 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
02:57:02.879877 ...re/Application.cs:99 trace: [RunInternalAsync] AppPath: /home/ubuntu/work/git-credential-manager/out/shared/Git-Credential-Manager/bin/Debug/net6.0/git-credential-manager
02:57:02.879923 ...e/Application.cs:100 trace: [RunInternalAsync] InstallDir: /home/ubuntu/work/git-credential-manager/out/shared/Git-Credential-Manager/bin/Debug/net6.0/
02:57:02.879951 ...e/Application.cs:101 trace: [RunInternalAsync] Arguments: get
02:57:02.930952 ...GitCommandBase.cs:33 trace: [ExecuteAsync] Start 'get' command...
02:57:02.956365 ...GitCommandBase.cs:47 trace: [ExecuteAsync] Detecting host provider for input:
02:57:02.957476 ...GitCommandBase.cs:48 trace: [ExecuteAsync] 	protocol=https
02:57:02.957544 ...GitCommandBase.cs:48 trace: [ExecuteAsync] 	host=gitlab.com
02:57:02.969298 ...viderRegistry.cs:149 trace: [GetProviderAsync] Performing auto-detection of host provider.
02:57:02.973758 ...viderRegistry.cs:162 trace: [GetProviderAsync] Auto-detect probe timeout is 2 ms.
02:57:02.975676 ...viderRegistry.cs:170 trace: [GetProviderAsync] Checking against 4 host providers registered with priority 'Normal'.
02:57:02.977278 ...GitCommandBase.cs:50 trace: [ExecuteAsync] Host provider 'GitLab' was selected.
secretAttrs['gkr:compat:hashed:xdg:schema'] = ad50fd94b9c5a1d9b5368fb722f1a45a
secretAttrs['gkr:compat:hashed:account'] = da0048d0899c4f123beb9593706b9f14
secretAttrs['gkr:compat:hashed:service'] = 7a85317269127828187572699833fb17
secretAttrs['xdg:schema'] = org.freedesktop.Secret.Generic
02:57:03.085946 ...nds/GetCommand.cs:39 trace: [ExecuteInternalAsync] Writing credentials to output:
02:57:03.086000 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync] 	protocol=https
02:57:03.086033 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync] 	host=gitlab.com
02:57:03.086040 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync] 	username=
02:57:03.086080 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync] 	password=********
protocol=https
host=gitlab.com
username=
password=********

02:57:03.086549 ...GitCommandBase.cs:54 trace: [ExecuteAsync] End 'get' command...

While this is how it should look:

❯ echo $'protocol=https\nhost=gitlab.com\n' | GIT_TRACE=1 GCM_TRACE=1 out/shared/Git-Credential-Manager/bin/Debug/net6.0/git-credential-manager get
03:02:08.344042 ...re/Application.cs:95 trace: [RunInternalAsync] Version: 2.0.886.47318
03:02:08.351866 ...re/Application.cs:96 trace: [RunInternalAsync] Runtime: .NET 6.0.12
03:02:08.351899 ...re/Application.cs:97 trace: [RunInternalAsync] Platform: Linux (x86-64)
03:02:08.351909 ...re/Application.cs:98 trace: [RunInternalAsync] OSVersion: Linux JakubUbuntu2204PC 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
03:02:08.351962 ...re/Application.cs:99 trace: [RunInternalAsync] AppPath: /home/ubuntu/work/git-credential-manager/out/shared/Git-Credential-Manager/bin/Debug/net6.0/git-credential-manager
03:02:08.352007 ...e/Application.cs:100 trace: [RunInternalAsync] InstallDir: /home/ubuntu/work/git-credential-manager/out/shared/Git-Credential-Manager/bin/Debug/net6.0/
03:02:08.352035 ...e/Application.cs:101 trace: [RunInternalAsync] Arguments: get
03:02:08.405271 ...GitCommandBase.cs:33 trace: [ExecuteAsync] Start 'get' command...
03:02:08.419529 ...GitCommandBase.cs:47 trace: [ExecuteAsync] Detecting host provider for input:
03:02:08.420537 ...GitCommandBase.cs:48 trace: [ExecuteAsync] 	protocol=https
03:02:08.420571 ...GitCommandBase.cs:48 trace: [ExecuteAsync] 	host=gitlab.com
03:02:08.433163 ...viderRegistry.cs:149 trace: [GetProviderAsync] Performing auto-detection of host provider.
03:02:08.438992 ...viderRegistry.cs:162 trace: [GetProviderAsync] Auto-detect probe timeout is 2 ms.
03:02:08.441213 ...viderRegistry.cs:170 trace: [GetProviderAsync] Checking against 4 host providers registered with priority 'Normal'.
03:02:08.443097 ...GitCommandBase.cs:50 trace: [ExecuteAsync] Host provider 'GitLab' was selected.
secretAttrs['account'] = oauth2
secretAttrs['service'] = git:https://gitlab.com
secretAttrs['xdg:schema'] = com.microsoft.GitCredentialManager
03:02:08.494174 ...pClientFactory.cs:58 trace: [CreateClient] Creating new HTTP client instance...
03:02:09.173488 ...nds/GetCommand.cs:39 trace: [ExecuteInternalAsync] Writing credentials to output:
03:02:09.173553 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync] 	protocol=https
03:02:09.173630 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync] 	host=gitlab.com
03:02:09.173839 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync] 	username=oauth2
03:02:09.173957 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync] 	password=********
protocol=https
host=gitlab.com
username=oauth2
password=********

03:02:09.175356 ...GitCommandBase.cs:54 trace: [ExecuteAsync] End 'get' command...

I'm unsure which libsecret or gnome keyring issue exactly is the cause here, there are several potential candidates to choose from:

• https://gitlab.gnome.org/GNOME/libsecret/-/issues/6
• https://gitlab.gnome.org/GNOME/libsecret/-/issues/7
• https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/89

There's also a possibly related bug report in Chromium which has a workaround implemented here:
https://bugs.chromium.org/p/chromium/issues/detail?id=660005