Prerequisites
Before trying to use a CAC or ECA with git, ensure you can first login successfully to GitLab or Bitbucket using a browser and the certificate you want to use with git.
Windows
Install Git
- Download Git for Windows
- Install using the default options
Setup Git
CAC
- Obtain your CAC Thumbprint. You can list certificates with the following powershell command:
Get-ChildItem -path cert:\CurrentUser\My
- Replace
{{ CAC Thumbprint }}
with the thumbprint of your CAC in the commands below. - Run the following powershell commands:
git config --global http.'https://*.arcus.mil'.extraHeader "Cookie: consent=true; dashboard=yes"
git config --global http.'https://*.arcus.mil'.followRedirects true
git config --global http.'https://*.arcus.mil'.cookieFile $HOME\\git-cookie
git config --global http.'https://*.arcus.mil'.sslBackend schannel
git config --global http.'https://*.arcus.mil'.sslCert "CurrentUser\My\{{ CAC Thumbprint }}"
ECA
- Obtain your ECA Thumbprint. You can list certificates with the following powershell command:
Get-ChildItem -path cert:\CurrentUser\My
- Replace
{{ ECA Thumbprint }}
with the thumbprint of your ECA in the commands below. - Run the following powershell commands:
git config --global http.'https://*.arcus.mil'.extraHeader "Cookie: consent=true; dashboard=yes"
git config --global http.'https://*.arcus.mil'.followRedirects true
git config --global http.'https://*.arcus.mil'.cookieFile $HOME\\git-cookie
git config --global http.'https://*.arcus.mil'.sslBackend schannel
git config --global http.'https://*.arcus.mil'.sslCert "CurrentUser\My\{{ ECA Thumbprint }}"
Linux
Install Git
Red Hat
yum install git
Ubuntu
apt install git
Setup Git
CAC
Run the following commands to configure git to use your CAC:
git config --global http.'https://*.arcus.mil'.extraHeader "Cookie: consent=true; dashboard=yes"
git config --global http.'https://*.arcus.mil'.followRedirects true
git config --global http.'https://*.arcus.mil'.cookieFile $HOME/git-cookie
git config --global http.'https://*.arcus.mil'.sslCert "pkcs11:manufacturer=piv_II;id=%01"
git config --global http.'https://*.arcus.mil'.sslKey "pkcs11:manufacturer=piv_II;id=%01"
ECA
- Obtain the full path to your ECA that is on your git client.
- Replace
{{ path to pem file }}
with the full path from step 1 in the commands below. - Run the following commands to configure git to use your ECA:
git config --global http.'https://*.arcus.mil'.extraHeader "Cookie: consent=true; dashboard=yes"
git config --global http.'https://*.arcus.mil'.followRedirects true
git config --global http.'https://*.arcus.mil'.cookieFile $HOME/git-cookie
git config --global http.'https://*.arcus.mil'.sslCertPasswordProtected true
git config --global http.'https://*.arcus.mil'.sslCert "{{ path to pem file
git config --global http.'https://*.arcus.mil'.sslCertPasswordProtected true }}
MacOS
Prereqs
These instructions are tested using the native curl on MacOS. Verify you are using the native by running curl --version
. The output should look similar to the following (pay close attention to the first line and ensure it is similar - close version numbers should be fine):
macosx:~ computer$ curl --version
curl 7.84.0 (x86_64-apple-darwin22.0) libcurl/7.84.0 (SecureTransport) LibreSSL/3.3.6 zlib/1.2.11 nghttp2/1.47.0
Release-Date: 2022-06-27
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL threadsafe UnixSockets
Install Git
brew install git
Setup Git
ECA
- Open Keychain Access and find your ECA. It will likely be in the “login” keychain under the “My Certificates” category.
- Copy down the name of your ECA. You will likely see two identical entries that is fine because name will be the same for both.
- Replace
{{ ECA Name }}
with the name of your ECA in the commands below. - Run the following commands:
git config --global http.'https://*.arcus.mil'.extraHeader "Cookie: consent=true; dashboard=yes"
git config --global http.'https://*.arcus.mil'.followRedirects true
git config --global http.'https://*.arcus.mil'.cookieFile $HOME/git-cookie
git config --global http.'https://*.arcus.mil'.sslBackend secure-transport
git config --global http.'https://*.arcus.mil'.sslCert "{{ ECA Name }}"
CAC
Run the following commands to configure git to use your CAC:
sslCert="$(sc_auth identities | grep 'Certificate For PIV Authentication' | cut -d '-' -f 2- | awk '{$1=$1};1')"
git config --global http.'https://*.arcus.mil'.extraHeader "Cookie: consent=true; dashboard=yes"
git config --global http.'https://*.arcus.mil'.followRedirects true
git config --global http.'https://*.arcus.mil'.cookieFile $HOME/git-cookie
git config --global http.'https://*.arcus.mil'.sslBackend secure-transport
git config --global http.'https://*.arcus.mil'.sslCert "${sslCert}"
Clone a repository
Create an Access Token
Bitbucket
- Follow these directions to create an HTTP access token
- Note your Bitbucket username
- Note the value of the HTTP access token
GitLab
- Follow these directions to create a personal access token
- Note the name of the personal access token
- Note the value of the personal access token
Clone
Once the setup is complete, you will now be able to interact with (push, pull, clone, etc.) your repo through your CollabTools. For example:
To clone a repository in Bitbucket, enter:
git clone https://bitbucket.arcus.mil/scm/myproject/myproject.git
To clone a repository in GitLab, enter:
git clone https://gitlab-premium.arcus.mil/myproject/myproject.git
First you will be prompted for your PKI PIN, then you will be asked for your name and access token. The name and access token will be cached across multiple transactions.
NOTES:
- If you are using a CAC, you will be prompted to enter your PIN (on all OS). If you are using an ECA, you will be prompted to enter your ECA password on Linux and your Keychain Access password on MacOS.
- If you have not logged in to the git server before, you will be prompted for the credenials you created when setting up the access token.