using git send-mail with google 2-factor authentication

StackOverflow https://stackoverflow.com/questions/23096605

Question

I'd like to use git send-mail to submit patches upstream, but my gmail account is using two factor authentication. Google provides app specific passwords for things like this, but my question is where is a secure place to store this password for use with git send-mail?

Was it helpful?

Solution

Turns out git has a credential store. Linux, OS X, and Windows all have credential helpers that can collect credentials from the OS's keyring. This answer has a few examples.

If you'd rather have the patch saved to your drafts folder so you can review it before sending (or just so that Gmail tracks the thread better), you can do the following:

git config --global imap.host imaps://imap.gmail.com
git config --global imap.user your.email@gmail.com
git config --global imap.port 993
git config --global imap.sslverify false
git config --global imap.folder [Gmail]/Drafts
git format-patch --stdout | git imap-send

git-credential support for git-imap-send has been available since git 2.1.0.

OTHER TIPS

Git 2.0.x/2.1 (Q3 2014) will support git credential for git imap-send.
See commit 791643a from Dan Albert (DanAlbert), now merged to git/git master branch:

imap-send: use git-credential

git-imap-send was directly prompting for a password rather than using git-credential. git-send-email, on the other hand, supports git-credential.

This is a necessary improvement for users that use two factor authentication, as they should not be expected to remember all of their app specific passwords.

Update 2017, for Git 2.14.x/2.15 (Q4 2017), git imap-send will still evolve.

See commit dbba42b, commit 19079b3, commit 690307f, commit 200bc38 (14 Sep 2017) by Nicolas Morey-Chaisemartin (nmorey).
(Merged by Junio C Hamano -- gitster -- in commit b67f154, 25 Sep 2017)

"git imap-send" has our own implementation of the protocol and also can use more recent libCurl with the imap protocol support.
Update the latter so that it can use the credential subsystem, and then make it the default option to use, so that we can eventually deprecate and remove the former.

With Git 2.30.1 (Q1 2021), the git send-email documentation is updated.

See commit 155067a (07 Jan 2021) by Vasyl Vavrychuk (vvavrychuk).
(Merged by Junio C Hamano -- gitster -- in commit 788f488, 15 Jan 2021)

git-send-email.txt: mention less secure app access with Gmail

Signed-off-by: Vasyl Vavrychuk
Signed-off-by: Denton Liu

Google may have changed Gmail security and now less secure app access needs to be explicitly enabled if two-factor authentication is not in place, otherwise send-email fails with:

5.7.8 Username and Password not accepted. Learn more at
5.7.8  https://support.google.com/mail/?p=BadCredentials

(Google: "I can't sign in to my email client")
Document steps required to make this work.

[dl: Clean up commit message and incorporate suggestions into patch.]

git send-email now includes in its man page:

If you have multi-factor authentication set up on your Gmail account, you will

git send-email now includes in its man page:

If you do not have multi-factor authentication set up on your Gmail account, you will need to allow less secure app access. Visit https://myaccount.google.com/lesssecureapps to enable it.

Note: this is REVERTED with Git 2.41 (Q2 2023): drop use of deprecated app-specific password against Gmail.

See commit 839ebad (01 Oct 2022) by Jouke Witteveen (joukewitteveen).
(Merged by Junio C Hamano -- gitster -- in commit 53b2944, 09 May 2023)

send-email docs: Remove mention of discontinued gmail feature

Signed-off-by: Jouke Witteveen

Support for "less secure apps" ended May 30, 2022.

This effectively reverts 155067a ("git-send-email.txt: mention less secure app access with Gmail", 2021-01-08, Git v2.31.0-rc0 -- merge listed in batch #3).

git send-email now includes in its man page:

If you have multi-factor authentication set up on your Gmail account, you can generate an app-specific password for use with 'git send-email'.

You can use the normal Git config to store the password, like so:

git config --global sendemail.smtpencryption tls
git config --global sendemail.smtpserver mail.example.com
git config --global sendemail.smtpuser fred@example.com
git config --global sendemail.smtpserverport 587
git config --global sendemail.smtppass smbumqjiurmqrywm

That will, of course, store the password in plain text. You should make sure your ~/.gitconfig file is not readable by others.

You could also store the password in an encrypted file and use that. You'd still have to remember and enter the password for the encryption, but at least you'd be able to choose that password. Something like gpg2 should do the trick.

Of course, in the end, the only really secure place to store the password is between your ears.

Source

For those who don't want to use their Gmail password for this, I wrote a plug-in for git-send-email that uses OAuth 2 authorization. It requests only the minimum required permissions (send email on your behalf) and stores OAuth token data in Windows Credential Store, like Git Credential Manager does.

UPDATE: Google has a plug-in which works in a similar fashion, but keeps credentials in a file, and uses less restricted tokens (all of Gmail vs just send email on your behalf). It works on Linux though.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top