The https push facility relies on user client authentication certificates to enable pushing. These certificates are automatically created whenever an RSA SSH public key is included in the “Public SSH Key(s)” section of the Register user page and may be downloaded from the download link(s) shown on the user registration confirmation page or the Update user email/SSH Keys page.

Prerequisites

Assuming the user login name is test and the root certificate has been downloaded to $HOME/certs/rorcz_root_cert.pem (see here for more information about the root certificate), the single RSA SSH public key from $HOME/.ssh/id_rsa.pub has been uploaded as the sole public key for the test user and the resulting test user authentication certifcate has been downloaded to $HOME/certs/rorcz_test_user_1.pem, the following shows how to clone and then push to a mobexample.git project using only the smart HTTP protocol.

An https push user authentication certificate may be downloaded from the Register user confirmation page or the Update user email/SSH Keys page.

Example

It’s possible to both fetch and push over https. It’s also possible to fetch over http and push over https. There’s an example of each.

# the rorcz root certificate is in $HOME/certs/rorcz_root_cert.pem
# the test user certificate is in $HOME/certs/rorcz_test_user_1.pem
# the $HOME/.ssh/id_rsa.pub SSH public key was uploaded
# the $HOME/.ssh/id_rsa file is the $HOME/.ssh/id_rsa.pub private key

Using Git version 1.8.5 or later:

# one-time global URL-specific configuration
# (requires Git version 1.8.5 or later)
git config --global http.https://repo.or.cz.sslCAInfo \
                    $HOME/certs/rorcz_root_cert.pem
git config --global http.https://repo.or.cz.sslCert \
                    $HOME/certs/rorcz_test_user_1.pem
git config --global http.https://repo.or.cz.sslKey \
                    $HOME/.ssh/id_rsa

# clone using http
git clone http://repo.or.cz/r/mobexample.git mob1

# clone using https
git clone https://repo.or.cz/r/mobexample.git mob2

# configure mob1 to push over https
cd /tmp/mob1
git remote set-url --push origin https://repo.or.cz/r/mobexample.git
echo mob1 >> mob1
git add mob1
git commit -m mob1
# push will fail because test does not have push permission
git push --all origin

# configure mob2 to fetch and push over https
cd /tmp/mob2
# nothing needs to be done, the clone & global config took care of it
echo mob2 >> mob2
git add mob2
git commit -m mob2
# push will fail because test does not have push permission
git push --all origin

Using any version of Git:

# work in /tmp
cd /tmp

# clone using http
git clone http://repo.or.cz/r/mobexample.git mob1

# clone using https
GIT_SSL_CAINFO=$HOME/certs/rorcz_root_cert.pem \
git clone https://repo.or.cz/r/mobexample.git mob2

# configure mob1 to push over https
cd /tmp/mob1
git config http.sslCAInfo $HOME/certs/rorcz_root_cert.pem
git config http.sslCert $HOME/certs/rorcz_test_user_1.pem
git config http.sslKey $HOME/.ssh/id_rsa
git remote set-url --push origin https://repo.or.cz/r/mobexample.git
echo mob1 >> mob1
git add mob1
git commit -m mob1
# push will fail because test does not have push permission
git push --all origin

# configure mob2 to fetch and push over https
cd /tmp/mob2
git config http.sslCAInfo $HOME/certs/rorcz_root_cert.pem
git config http.sslCert $HOME/certs/rorcz_test_user_1.pem
git config http.sslKey $HOME/.ssh/id_rsa
echo mob2 >> mob2
git add mob2
git commit -m mob2
# push will fail because test does not have push permission
git push --all origin

The example git push commands above will fail with a push permission error since the test user does not have permission to push to the mobexample.git project, but the mob user can push to the mob branch of mobexample.git over https as detailed here.

Password Caching

In the above examples, if the $HOME/.ssh/id_rsa private key is password protected, then it’s desirable to set http.sslCertPasswordProtected to true like so:

# with the current directory /tmp/mob1 or /tmp/mob2
git config --bool http.sslCertPasswordProtected true

If using Git version 1.8.5 or later the http.sslCertPasswordProtected setting may be applied only to specific URLs (such as https://repo.or.cz). See the output of git config help for more information.

(view source)