credential.helper=/usr/local/share/gcm-core/git-credential-manager makes GUI windows pop up. How many windows pop up may have confusing aspects.

[alu0100207385]

• carthage install method: [ ] .pkg, [x ] homebrew, [ ] source
• which carthage: /opt/homebrew/bin/carthage
• carthage version: 0.39.1
• xcodebuild -version: 15.2
• Are you using --no-build? No.
• Are you using --no-use-binaries? No.
• Are you using --use-submodules? No.
• Are you using --cache-builds? No.
• Are you using --new-resolver? No.
• Are you using --use-xcframeworks? Yes.

Cartfile

github "Alamofire/Alamofire"
github "OAuthSwift/OAuthSwift"
github "SwiftKickMobile/SwiftMessages"
github "mxcl/PromiseKit" ~> 6.8

Carthage Output

info: please complete authentication in your browser...
info: please complete authentication in your browser...

Actual outcome
Carthage did or did not download the dependencies. It is always asking for Github credentials.

Expected outcome
Carthage should update the dependencies if Github credentials are correct.

Demo
https://youtu.be/eYBNp5JutMM

Other data
Apple M2 Pro
macOS 14.2.1
ruby -v 2.6.10p210

[jdhealy]

Might be that some piece of software installed a 'git credential helper'.

Could you run git config --show-origin --list and strings "$(which git)" | grep com.apple.dt.xcode_select.tool-shim | wc -c and post here with any relevant lines?

(Thanks for the screen recording demo, it was helpful (well, we'll see how this goes) 😄☀️)

[alu0100207385]

Sure. Thanks for answering.

git config --show-origin --list

file:/Applications/Xcode.app/Contents/Developer/usr/share/git-core/gitconfig credential.helper=osxkeychain
file:/Applications/Xcode.app/Contents/Developer/usr/share/git-core/gitconfig init.defaultbranch=main
file:/Users/XXXXXXXXX/.gitconfig credential.helper=
file:/Users/XXXXXXXXX/.gitconfig credential.helper=/usr/local/share/gcm-core/git-credential-manager
file:/Users/XXXXXXXXX/.gitconfig credential.https://dev.azure.com.usehttppath=true
file:/Users/XXXXXXXXX/.gitconfig user.email=XXXXXXXXX@email.com
file:/Users/XXXXXXXXX/.gitconfig user.name=XXXXXXXXX
file:/Users/XXXXXXXXX/.gitconfig core.excludesfile=/Users/XXXXXXXXX/.gitignore_global
file:/Users/XXXXXXXXX/.gitconfig difftool.sourcetree.cmd=opendiff "$LOCAL" "$REMOTE"
file:/Users/XXXXXXXXX/.gitconfig difftool.sourcetree.path=
file:/Users/XXXXXXXXX/.gitconfig mergetool.sourcetree.cmd=/Applications/Sourcetree.app/Contents/Resources/opendiff-w.sh "$LOCAL" "$REMOTE" -ancestor "$BASE" -merge "$MERGED"
file:/Users/XXXXXXXXX/.gitconfig mergetool.sourcetree.trustexitcode=true

strings "$(which git)" | grep com.apple.dt.xcode_select.tool-shim | wc -c

53

[jdhealy]

From file:/Users/XXXXXXXXX/.gitconfig credential.helper=/usr/local/share/gcm-core/git-credential-manager – I found git-ecosystem/git-credential-manager#336 which (from the video, thanks!) seems to match what’s seen. ☀️

git-credential-manager seems to exist (this is my read) to enforce multi-factor authentication.

You can view this as dissimilar to using Carthage with --use-ssh. ⋯⋯⋯ Carthage with --use-ssh (or git using ssh to credential for a repo) is a solution that is 'somewhat' single factor (but many people view it as good enough for their security purposes.)

So, solutions that enforce multi-factor authentication often have an ‘upfront cost’ — where, if no prior checkout/credentialing of that repo happened before, then →→→ first time: user takes action • second time: no action required as the token needed is pulled from secure storage.

We’ll assume that (1) the secure storage is able to be accessed correctly on your machine and (2) the repo host servers are not constantly invalidating the tokens.

✨ If (1) and (2) are true, then one would experience an 'upfront wave' of those windows popping up and requiring action…

✨ …but there's no technical reason (seemingly) why ’getting through the upfront wave’ is unviable.

@alu0100207385 — was it a situation for you where it ‘seemed’ the ‘upfront wave’ would never end? Or are we in a much buggier situation where the ‘upfront wave’ truly never ends?

⋯⋯⋯ Perhaps a good debugging step is looking repeatedly at a ps -axww | grep git-credential-manager each time the window opens and seeing if particular URLs ‘enter the wave’ more than once?

⋯⋯⋯ Also, worth checking for any of these environment variables that would make (1) and (2) not hold true.

Alternatively, some view the multi-step authentication as not necessary, and ssh keys and Carthage’s --use-ssh is fine — but one’s workplace may mandate differently (so I can’t really advise.) ⋯⋯⋯ I will note that Carthage’s --use-ssh isn’t often the path taken for CI services, but that's a different story.