"Github's Gist and Gnome Keyring"

April 03, 2011

I like to keep my dotfiles in git repository but I never put my .gitconfig there because it included my GitHub API token, that is used for example by gist. Git allows you to get output of a system commands as values (by prepending value with exclamation mark) for settings in [alias] section of .gitconfig only but I just found out that gist script can also do this trick for github.token setting. Thanks to that we can prepare some script that gets token from different place, use it in .gitconfig, put config into repository and worry no more about publishing sensitive data.

I put the token in Gnome Keyring as it feels pretty secure. Just go to System -> Preferences -> Passwords and Encryption Keys, press Ctrl+N, choose Stored password. Select login keyring, enter "GitHub API Token" as description and your token as password. Now we need a way to get this token out of keyring in shell script. Fortunately there are python language bindings for Gnome Keyring.

Python script for retrieving passwords from keyring can look like this:

#!/usr/bin/env python

import sys
import gnomekeyring as gk

if len(sys.argv) > 2:
    ring_name = sys.argv[2]
else:
    ring_name = 'login'

for key in gk.list_item_ids_sync(ring_name):
    item = gk.item_get_info_sync(ring_name, key)
    if item.get_display_name() == sys.argv[1]:
        sys.stdout.write(item.get_secret())
        break

Simple. It prints out password with given name to standard output, without newline character (so it's easier for other scripts to use it). Let's save it to ~/bin/keyring-get-pass.py and try it:

$ python ~/bin/keyring-get-pass.py 'GitHub API Token'
my-secret-token-i-wont-show-you$

Cool. By default we get secrets from login keyring. This is for convenience as login keyring is being unlocked at system login time on Gnome (at least on Ubuntu) and it won't ask us to unlock it when running this script. If we need to get password from different keyring then its name can be passed as the second argument to the script.

Now, let's use the script in .gitconfig:

[github]
  user = sickill
  token = !python ~/bin/keyring-get-pass.py 'GitHub API Token'

If you have other solutions for avoiding publishing passwords and tokens in your dotfiles (like config templates etc) tell me, I'm eager to hear!

Read more about gist, github, gnome, python.
blog comments powered by Disqus