Fork me on GitHub

article

Mac OS X, Subversion, and Keychain

March 30, 2009 | Computers

I just learned this morning that Subversion since version 1.4 will cache passwords on OS X using the OS X Keychain. Lack up support for multiple passwords with Subversion has been a frustration for me for quite a while, but lo and behold its been under my nose the whole time.

Note: This is all based on command line usage. I’m not gonna speak for any of the SVN utilities out there.

The trick is that you need to let Subversion ask you for your password, not supply it in the SVN command string. So, while its tempting to do:

  1.  # svn co --username=me --password=that https://example.com/svn/repo .

We should actually be doing:

  1.  # svn co --username=me https://example.com/svn/repo .

We’ll then be prompted with:

  1.  Authentication realm:
  2.  Password for 'me':

Enter the password and its cached with the Keychain instead of as plain text. The entry is still retained in ~/.subversion/svn.simple/server-name-hash but now it contains a reference to the Keychain for the password instead of storing it in the file. To verify that the password was stored in the Keychain look in the file and if it has been stored in the Keychain you should see something like:

  1.  ...
  2.  K 8
  3.  passtype
  4.  V 8
  5.  keychain
  6.  ...

Getting your password in to the keychain requires re-authenticating with the SVN repository. So to update all your entries to instead use the Keychain you’ll need to delete the files in ~/.subversion/svn.simple/ and re-authenticate with the server using the method outlined above.

It is not necessary to re-checkout the entire repository. Simply doing an update will suffice.

So, I feel like this should be a “well, duh!” moment since this has been available since 2006 but guaging by the lack of documentation out there on the tubes and the lack of knowledge of this around here at the office I’m gonna say that this is kind of a hidden gem. At least, I’m gonna keep telling myself that to make me feel better 😉

3 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  • On Snow Leopard 10.6.6 with Subversion 1.6.5, it works perfectly when logged in to the machine directly.

    However, if I SSH into the mac from another one, svn has no access to the keychain, any ideas why?

    Matt Connolly, March 14, 2011 11:38 pm | permalink

  • I can’t be 100% sure of this but your keychain is tied to your OS X user account, not your SSH login. So when logging in remotely you don’t have the same OS ties as you do when directly logged in and the keychain doesn’t get unlocked. Now, that said, I think you can unlock your keychain via ssh.

    $ security unlock-keychain ~/Library/Keychains/login.keychain

    You’ll be prompted to unlock it via the keychain’s password and then subversion should be able to access it. I’ve been playing with this to try and create a purely command line driven ssh script that automatically pulls correct credentials from the keychain and initial testing looks good, but I haven’t tested using it while logged in remotely. Definitely let me know back if this works for you.

    Shawn, March 14, 2011 11:48 pm | permalink

  • FWIW I just discovered that the keychain credential is only created on checkout, not on subsequent operations on the repository. So if you have an existing working copy from a repository that you want to start using keychain auth for, you have to make a separate checkout from that same server’s URL (even if you delete it afterwards) in order to get your password into the keychain.

    eric sorenson, November 29, 2011 12:07 pm | permalink

Comments are closed