Not sure how rare this is to trigger, but it happened on one PC consistently when combined with KeePassNatMsg. Println-debugging showed read_to_end doesn't return when the response is a multiple of 128 bytes. Code:
https://github.com/Frederick888/git-credential-keepassxc/blob/v0.8.2/src/utils.rs#L247:L252

Usually the next .read() should return 0, but apparently somewhere in the stack this doesn't work.

To avoid ambiguities in artifacts (especially for people like me that download "the latest and greatest", without waiting for official releases), it would be nice if the version string was instead:

$ git-credential-keepassxc -V
git-credential-keepassxc v0.8.2 (v0.8.2+8 8575367)

Or something equivalent to git describe --long --always (add --tags also if you do not want to use "annotated tags": https://git-scm.com/book/en/v2/Git-Basics-Tagging#_creating_tags)

I most often work from a laptop (with a YubiKey Nano USB-C) with an external monitor (with a standard YubiKey USB). This means there are two YubiKeys plugged in. I'm using the One or multiple YubiKeys with the same secret (and same master key) approach.

What is the expected behavior when the challenge is presented? Should I be able to touch either key, or do I need to touch a specific key? How is that device determined?

Thanks.

I was wondering if you'd like to improve on the warning message given from the git-credential-keepassxc, when callers don't match.

I'd like to know who called me, so I can add (maybe?) them to the list.

Description

On git 2.41.0 (released today) auth fails with

ERRO Failed to parse Git credential message: Unknown key wwwauth[]
Original message:
protocol=https
host=<private git repo>
wwwauth[]=Basic realm="Gitlab"
, Caused by: N/A

downgrading to git 2.40.1 fixes this

The release notes for git 2.41 mention a change to auth, see here, search for "WWW-Authenticate"

Environment

• OS: Linux
• keepassxc --version output: 2.7.5
• git-credential-keepassxc --version output: 0.12.0

Checklist

• I've read the README
• I've read the Wiki
• This is an issue regarding the project itself (instead of linking, packaging, anti-virus, etc.)

Configuration

standard configuration using git 2.41.0

Logs

ERRO Failed to parse Git credential message: Unknown key wwwauth[]
Original message:
protocol=https
host=<private git repo>
wwwauth[]=Basic realm="Gitlab"
, Caused by: N/A

Hi @Frederick888 ,
first of all THANK YOU so much for this awesome project. It really helps my daily work.

I have the following situation:

I'd like to set an environment variable to a personal access token - GITHUB_TOKEN in this case - inside a script.
The token is stored inside my entry for github.com as an "Additional attribute" named KPH: GITHUB_TOKEN.

I have enabled the option Return advanced string fields which start with "KPH: " under Settings -> Browser Integration.
I was able to successfully deactivate the database entry by setting KPH: git to false.

Sadly the additional entries specified by KPH: * are not returned by git-credential-keepassxc.
I am aware that I could duplicate the entries and use a different username.

Are the values filtered to username, url and password by the program?
Or is it possible to get access to these "Additional attributes" somehow?
That would be super awesome 😄

printf "url=https://github.com\nusername=nifr\n" | git-credential-keepassxc get

output:

username=nifr
password=HIDDEN
url=https://github.com

expected output:

username=nifr
password=HIDDEN
url=https://github.com
GITHUB_TOKEN=HIDDEN

Thanks in advance for your time and greetings from Cologne, Germany :)

Hi!

Looking forward to having the source repo credentials stored in KeePass database. However, I find the current behaviour a bit unexpected and dangerous.

I've successfully linked to my KeePass database. Then I tried fetching an existing repository with upstream on GitLab. I was prompted for the credentials and copy/pasted my GitLab username and the access token code into the password field. This worked for authentication but then I was asked if I wanted to store the credentials.
I answered yes, assuming these would be stored in the newly-created Git folder. Alas, no. It has overwritten my GitLab credentials at a completely different location, overwriting my real password with the token value.

I managed to restore the previous version of the record but, to be honest, I am not a bit afraid to continue experimenting with other services.

I don't see any way to tell the plugin to use a certain version. It seems to always take the existing gitlab record and not any new ones that I create in the Git folder.

Description

I have configured the tool as outlined in

However usage instructions are very unclear.

I have figured out how to store credentials in my password db. But when i call git commit -S -m ... I get a normal password prompt and not autofill by keepassxc.

Adding credentials was also hard to find out. Can you make instruction more detailed?

Environment

• OS: Linux
• keepassxc --version output: KeePassXC 2.7.4
• git-credential-keepassxc --version output:git-credential-keepassxc 0.12.0

Checklist

• I've read the README
• I've read the Wiki
• This is an issue regarding the project itself (instead of linking, packaging, anti-virus, etc.)

Configuration

1

Description

I think that I have missed one step... Here is my sessions in trying to use git-credential-keepassxc after allowing "Integration with web browsers" in the GUI of KeePassXC.

>>> git-credential-keepassxc caller me 
Gonna save current caller to allowed callers list:
{
  "path": "/usr/bin/bash",
  "uid": 1000,
  "gid": 1000,
  "canonicalize": false
}
Press Enter to continue...

>>> git-credential-keepassxc -vv configure
Oct 21 17:22:47.048 INFO Dump is disabled
Oct 21 17:22:47.049 INFO Reading configuration from /home/XXX/.config/git-credential-keepassxc
Oct 21 17:22:47.049 INFO Caller verification skipped as no caller profiles defined and strict-caller disabled
Oct 21 17:22:47.049 WARN Configuring database when strict-caller feature is enabled and no caller profiles are defined
You are about to configure a new database before configuring any callers while strict-caller feature is enabled.
You won't be able to use this program unless you plan to add caller profiles manually!
Tip: Check out `git-credential-keepassxc caller me --help` to add yourself to the allowed callers list.
Press Enter to continue... 
Oct 21 17:22:47.900 INFO Sending change-public-keys request
Oct 21 17:22:47.900 INFO Socket path: /run/user/1000/org.keepassxc.KeePassXC.BrowserServer
Oct 21 17:22:47.900 ERRO Failed to connect to Unix socket /run/user/1000/org.keepassxc.KeePassXC.BrowserServer, Caused by: Connection refused (os error 111)

How can I define one caller profiles? Can you clarify the following lines from the README file?

If you've enabled strict-caller, you must add caller profiles before configuring databases,
otherwise you won't be able to run git-credential-keepassxc afterwards.

Environment

• OS: Linux Manjaro cinnamon
• keepassxc --version output: KeePassXC 2.7.6
• git-credential-keepassxc --version output: git-credential-keepassxc 0.13.0 (strict-caller, notification, encryption, yubikey)

Checklist

• [ y ] I've read the README
• [ y ] I've read the Wiki
• [ n ] This is an issue regarding the project itself (instead of linking, packaging, anti-virus, etc.)

Configuration

Just one database.

first off thanks for the software!

i'm trying to configure it and perhaps i did something wrong on the way, if you could point where that would be really cool.

i did configure with: git-credential-keepassxc configure,

having this file:

{
  "databases": [
    {
      "id": "git-credential-keepassxc",
      "key": "xxx",
      "pkey": "xxx",
      "group": "Git",
      "group_uuid": "xxx"
    }
  ],
  "callers": [
    {
      "path": "/nix/store/j7cfd6hwir1hiqr9v774ng108py9x71q-zsh-5.8/bin/zsh",
      "uid": 1000,
      "gid": 100,
      "canonicalize": false
    }
  ]
}

keepassxc asked for a connection name, that went smoothly. it did create Git sub-directory in keepassxc.

(do i need to configure my credentials manually or it should ask/save with prompts?)

from git config:

...
[credential]
        helper = "/nix/store/07f8mwjp8458nz28r03rdcp2jkwrpjli-keepassxc-2.6.4/bin/keepassxc"
...

(i'm having double thoughts about this, should not we be configuring git-credentials-keepassxc instead of the backend itself: keepassxc ?)

while running git push i'm getting:

QLocalSocket::waitForDisconnected() is not allowed in UnconnectedState
Another instance of KeePassXC is already running.
Username for 'https://github.com':

keepassxc configs:

Versions:
KeePassXC 2.6.4
git-credential-keepassxc 0.6.0
rustc 1.51.0
OS: NixOS

Compiled with notifications, encryption.

$ git-credential-keepassxc --unlock 20 get password
passw0rd

$ git-credential-keepassxc --unlock 20 get username
root

Use case:

• I'd want to apply "separation of concerns" to a program that I am running. I want to pass one command, and tell to the program "if you run this, you will get the password".
• I'd like to allow users to be able to plug their own credential-solution, and
• "myself" internalizing per-credential-manager solution seems infeasible

Workarounds considered:
... I think for now I'll write a shell script that does that, I guess. I'd prefer wouldn't have to do that, though.

While URL makes sense for the original purpose of the program (i.e. git-credential-...), it makes it complicated to fetch tokens that are not associated with a URL (i.e., simple [key, value] pairs)

Maybe you can allow:

$  printf 'username=%s\n' "SUPER_SECRET" | git-credential-keepassxc get
Feb 10 09:27:54.103 ERRO Protocol and host are both required when URL is not provided, Caused by: N/A

However, explicit

$ printf 'url=\nusername=%s\n' "SUPER_SECRET" | git-credential-keepassxc get
Feb 10 09:28:36.692 ERRO Request get-logins failed, No URL provided (code: NoUrlProvided), Caused by: N/A

should be a way to work around that?

I am fine if you'd like to hide this "protocol deviation" by introducing e.g. a --no-url-is-okay argument flag

I'm getting this error when running on windows :

bendem> git-credential-keepassxc.exe -vvv configure
Jul 15 14:17:58.975 DEBG Subcommand: configure
Jul 15 14:17:58.979 INFO Sending change-public-keys request
Jul 15 14:17:58.981 DEBG SEND: {"action":"change-public-keys","publicKey":"b8RXkakSQFY+MNJGn1xhSnmPKMm65+2m1Jy82b81CyM=","nonce":"SYvqO+ttgrJH9OjMqc9KO1z55/CDw4lc","clientID":"7sG9XEgiZEUhzvoXJLcchKS8W6QJa1to"}
Jul 15 14:17:58.982 DEBG Socket path: \\.\pipe\\C:\Users\bendem\AppData\Local\Temp\org.keepassxc.KeePassXC.BrowserServer
Jul 15 14:17:58.984 ERRO Le fichier spécifié est introuvable. (os error 2), Caused by: N/A, Message: Le fichier spécifié est introuvable. (os error 2)
[105.01 ms]

I'm guessing the problem comes from using the OS temp dir while windows pipes are (from what I understand) in \\.\pipe\.

Ref keepassxreboot/keepassxc#5069

Description

I am running git-credential-keepassxc installed as a normal user from a rustup cargo installation. When I try git-credential-keepassxc configure I get only "Aug 04 12:30:52.680 ERRO Failed to locate socket, Caused by: N/A".

Running with "-v" option gives me "unexpected argument"

Environment

• OS: ubuntu 20.04 LTS
• keepassxc --version output: keepassxc 2.4.3
• git-credential-keepassxc --version output: git-credential-keepassxc 0.13.0

Checklist

• [ X ] I've read the README
• [ X ] I've read the Wiki
• [ X ] This is an issue regarding the project itself (instead of linking, packaging, anti-virus, etc.)

Configuration

Single keepassxc database which also holds usual web passwords and TOTP tokens

Two solutions:

1. Signal handling in this project, related projects:

https://crates.io/crates/signal
https://crates.io/crates/addy
https://crates.io/crates/wintrap

2. Have a wrapper struct in yubico_manager that implements Drop?

git-credential-keepassxc already compiles under macOS according to Travis but directories_next::BaseDirs::runtime_dir doesn't work for mac.

Need someone to confirm the path so that users don't need to manually specify it.

Hello, the keepass named pipe moved again in the latest version, this time they added the username to it.

https://github.com/keepassxreboot/keepassxc/pull/5485/files

Notify users of password retrieval attempts. Once YubiKey feature is merged it can also be used to remind users of tapping their keys.

https://crates.io/crates/notify-rust

I configured keepassxc to automagically lock the database after a period of inactivity.

So usually when I do a git push the database is locked and I get the follwoing error from git-credentials-keepassxc.

ERRO No valid database associations found in configuration file, Caused by: N/A, Message: No valid database associations found in configuration file

Since the browser plugin is able to trigger keepassxc to request an unlocking of the DB, I figured that this must be possible to with git-credentials-keepassxc too. I looked in the source of the browser plugin and found that they set somewhere the flag triggerUnlock which then gets build into the request in keepass.js:1215. https://github.com/keepassxreboot/keepassxc-browser/blob/develop/keepassxc-browser/background/keepass.js#L1215

The argument triggerUnlock can be set by a call to keepass.testAssociation, so it could be that they do it with the testAssociation message/request. But I'm not sure, the JS code is very difficult to read with all the default arguments, which are forwarded seven layers deep.

Long story short it would be a nice feature, to be able to run git-credentials-keepassxc with a locked DB and then be asked to unlock it.

Hey, im trying to figure out how to use this program. I installed it from the AUR repo and a token password an entry within the additional attributes, but I can't figure out how to make the program read the extra attributes. I'm using ArchLinux with KeePassXC 2.6.6

I also get this error too

Nov 18 13:38:33.666 ERRO KeePassXC doesn't allow erasing logins via socket at the time of writing
remote: HTTP Basic: Access denied
remote: You must use a personal access token with 'read_repository' or 'write_repository' scope for Git over HTTP.
remote: You can generate one at https://gitlab.com/-/profile/personal_access_tokens
fatal: Authentication failed for 'https://gitlab.com/NovaViper/dotfiles.git/'

I had installed this with cargo and it worked fine.

Now I installed it from the AUR, as I would like to manage my packages from a single system.

It returns the following error when I try to configure it:

❯ git-credential-keepassxc configure
Jan 02 19:58:55.787 ERRO /usr/bin/fish (uid=1000, gid=1000) is not allowed to call git-credential-keepassxc, Caused by: N/A

Hello,

I've tried to build on Debian and it fails:

I've run cargo install git-credential-keepassxc .
I installed rust from repos.

cargo --version 
cargo 1.42.1

rustc --version
rustc 1.42.0

  Compiling prctl v1.0.0
   Compiling aes-gcm v0.6.0
error: attributes are not yet allowed on `if` expressions
  --> /home/ieugen/.cargo/registry/src/github.com-1ecc6299db9ec823/sysinfo-0.14.13/src/utils.rs:27:5
   |
27 |     #[allow(clippy::identity_conversion)]
   |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

error: aborting due to previous error

error: could not compile `sysinfo`.
warning: build failed, waiting for other jobs to finish...
error: failed to compile `git-credential-keepassxc v0.3.2`, intermediate artifacts can be found at `/tmp/cargo-installRE8O9G`

Caused by:
  build failed

Description

I'm encountering an issue with KeePassXC integration with git. Whenever I attempt to use git commands that require authentication, I receive the error "ERRO /usr/bin/zsh (uid=1000, gid=1000) is not allowed to call git-credential-keepassxc, Caused by: N/A". This issue occurs when I use command line git in zsh, but does not happen with GUI-based Git clients like GitHub Desktop and the built-in Git in Jetbrains products.

Environment

• OS: Linux archlinux 6.4.3-zen1-1-zen #1 ZEN SMP PREEMPT_DYNAMIC Tue, 11 Jul 2023 05:13:16 +0000 x86_64 GNU/Linux
• keepassxc --version output: KeePassXC 2.7.5
• git-credential-keepassxc --version output: git-credential-keepassxc 0.13.0 (strict-caller, notification, encryption, yubikey)

Checklist

• I've read the README
• I've read the Wiki
• This is an issue regarding the project itself (instead of linking, packaging, anti-virus, etc.)

Configuration

I am using KeePassXC with git through zsh shell. I have set the git configuration to use 'keepassxc' as the credential helper.

Logs

Here is the error I get when I attempt to call git-credential-keepassxc:

> git-credential-keepassxc caller me
Jul 16 07:03:06.065 ERRO /usr/bin/zsh (uid=1000, gid=1000) is not allowed to call git-credential-keepassxc, Caused by: N/A

I would like to avoid returning "arbitrary" first password when using in scripts.

diff --git a/src/main.rs b/src/main.rs
index 377fcc0..7595194 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -587,6 +587,8 @@ where
                 login_entries_name_matches.len()
             );
             login_entries = login_entries_name_matches;
+        } else {
+            return Err(anyhow!("No matching logins found"));
         }
     }
     if login_entries.len() > 1 {

Not sure is it a bug or UC for something?

KeePassXC started providing group in get-logins response.

We can utilise it and implement a 'Git group only' mode flag.

Further this mode can potentially be switched on automatically if /usr/lib/git-core/git-remote-http is the caller (need to check feasibility and cross-platform compatibility).

See also #48.

There is a get-totp message now.

Hi,
is it possible to disable notification via config file or do I have to rebuild with notification feature disabled?
Rebuilding is a bit inconvenient for SW installed using package manager...

Description

I have an entry under the /Git folder with the following properties:

• Title: Bogus
• Username: [email protected]
• Password: password123
• URL: bogus.com

I'm trying to access the password like this:

printf "url=bogus.com\[email protected]\n" | git-credential-keepassxc get
Apr 10 20:27:20.304 ERRO Request get-logins failed, No logins found (code: NoLoginsFound), Caused by: N/A

I'm assuming that I'm missing something in the docs although I promise I have read them multiple times :-) I would be happy to update the wiki once I know how to do this.

Environment

• OS: Linux (NixOS)
• keepassxc --version output:
  • KeePassXC 2.7.4
• git-credential-keepassxc --version output:
  • git-credential-keepassxc 0.11.0

Checklist

• I've read the README
• I've read the Wiki
• This is an issue regarding the project itself (instead of linking, packaging, anti-virus, etc.)

Configuration

1

Logs

Apr 10 20:30:59.605 INFO Dump is disabled
Apr 10 20:30:59.605 INFO Reading configuration from /home/tom/.config/git-credential-keepassxc
Apr 10 20:30:59.605 INFO Caller verification skipped as no caller profiles defined and strict-caller disabled
Apr 10 20:30:59.606 INFO Sending change-public-keys request
Apr 10 20:30:59.606 INFO Socket path: /run/user/1000/org.keepassxc.KeePassXC.BrowserServer
Apr 10 20:30:59.607 INFO Sending test-associate request
Apr 10 20:30:59.608 INFO Successfully authenticated against 1 database(s)
Apr 10 20:30:59.608 INFO Sending get-logins request
Apr 10 20:30:59.617 WARN Request get-logins failed, No logins found (code: NoLoginsFound)
Apr 10 20:30:59.617 ERRO Request get-logins failed, No logins found (code: NoLoginsFound), Caused by: N/A

How?

YubiKey challenge-response

                                            Master Key Ciphertext  Database/Caller Ciphertext
                                                     |                        |
                                                     🮦                       🮦
Challenge (64B)  => YubiKey => Response (20B) => AES Key (32B) =====> Master Key (32B) => Database/Caller Plaintext
                                    🮧               🮧                       🮧
                                    |                |                        |
                               Padding (12B)     Nonce (12B)        Database/Caller Nonce (12B)

U2F (?)

Try having a future-proof design but no plan for implementation. Probably useful for browser but challenge-response is good enough (and simple) for CLI.

More than one encryption profiles?

• Master AES key
• Multiple YubiKeys with different HMAC-SHA1 secrets
• One or more YubiKeys with different methods (challenge-response, U2F)

Try having a future-proof design but no plan for implementation. Since U2F has a really low priority, probably saving YubiKey serial is good enough?

Also encrypting caller list?

There will be two guards (tapping on YubiKey, confirmation from KeePassXC) already, which look good enough to me. Of course a user can configure their keys/KeePassXC to disable these confirmations. But this is of really low priority.

Prototype

In yubikey branch.

KeePassXC 2.6 remove the socket at /run/user/*/kpxc_server so git-credential-keepassxc can't connect to KeePassXC any more.

See keepassxreboot/keepassxc#4680 for more details.

Summary

git-credential-keepassxc fails to communicate with KeePassXC.

❯ git-credential-keepassxc configure
Dec 02 23:28:37.623 ERRO You are not allowed to use this program, Caused by: N/A

Steps to reproduce

1. Database is unlocked (otherwise a different error is returned),
2. Run git-credential-keepassxc configure,
3. KeePassXC prompt for a connection name,
4. Type in any name, press "Save and allow access" button.

Expected result

Pairing complete, connection information stored.

Observed result

An error is reported in terminal. Presumably because KeePassXC refuses to communicate with git-credential-keepassxc.

Context

KeePassXC: 2.6.2-1
git-credential-keepassxc: 0.4.3, features: all
rust: 1.48.0/stable
OS: Arch Linux

I figured, my browser integration settings might be relevant, so here they are.

Is it possible to implement a desktop notification to let the user know that it's waiting for the Yubikey Challenge-Response?

Related: https://crates.io/crates/ctap_hmac https://crates.io/crates/ctap-hid-fido2

removed

Hi,

I found the unlock option not working for me.
I debugged until I found out, that my Keepass is returning a localized string when the database is locked.
This means the check in the following line fails:

I just changed the string to the correct one and sure enough it started working.
Maybe there is a different way to check if the database is unlocked?

Tasks to tackle:

• Socket path

XDG probably doesn't work under Win. KeePassXC uses named pipes under Win and the path is %TMP%\kpxc_server (e.g. C:\Users\Administrator\AppData\Local\Temp\kpxc_server). It listens on another one called keepassxc-Administrator.socket at the same time, not sure whether it's for browser integration as well or not.

• UnixStream -> Named pipe

Two most popular implementations are:
https://crates.io/crates/named_pipe
https://crates.io/crates/mio-named-pipes

We should probably use the first one as it doesn't seem to require a runtime. It's a synchronous CLI tool at the end of the day and we don't need asynchronous stuff.

exchange_message() needs to be updated as well.

• Logger

Does TermDecorator work in cmd/PowerShell? Do we need to switch to PlainSyncDecorator under Win?

From the Release 0.8.2, the Windows files windows-lastest-full.zip and windows-latest-minimal.zip are blocked to download by Microsoft Defender because it detects Trojan:Win32/spursint.Ficl. I hope this is a false positive.

If so, digitally signing the executable probably helps to reduce the risk for such a event.

Keys and callers are stored plain text in the config file, the former can be read by any application and the latter might be modified by any application.

The flatpak version seems to move the path
$XDG_RUNTIME_DIR/org.keepassxc.KeePassXC.BrowserServer
to
$XDG_RUNTIME_DIR/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer

Perhaps the path to the named pipe could be set in a config file for when it's required?

I tried to use the latest release https://github.com/Frederick888/git-credential-keepassxc/releases/download/v0.9.1/macos-latest-full.zip
on my macbook M1 (arm64) and got the link error

$ git-credential-keepassxc --help
dyld: Library not loaded: /usr/local/opt/libusb/lib/libusb-1.0.0.dylib
  Referenced from: /Users/ilya/opt/opt/bin/git-credential-keepassxc
  Reason: image not found
Abort trap: 6

My env is:

$ uname -a
Darwin ilya-mbp.lan 20.6.0 Darwin Kernel Version 20.6.0: Tue Oct 12 18:33:38 PDT 2021; root:xnu-7195.141.8~1/RELEASE_ARM64_T8101 arm64 arm64 MacBookPro17,1 Darwin

Workaround: I installed the tool from sources with rustup and it works perfectly. Thanks!

Oct 27 13:53:07.667 ERRO /usr/bin/dash (uid=1000, gid=1000) is not allowed to call git-credential-keepassxc, Caused by: N/A

Out[1]: CompletedProcess(args='echo "url=https://gitlab.com/-/profile/personal_access_tokens" | git-credential-keepassxc get | grep password | cut -d= -f 2', returncode=0, stdout='')

I'd say this should be non-zero (and maybe not a catch-all 1).

That also goes for other issues:

• ERRO Request associate failed,
• Database not opened (code: DatabaseNotOpened),
• argparse errors,
• etc etc

As far as I can tell, git-credential-keepassxc always returns error 0 or 1, regardless of what exactly went wrong. For scriptiing purposes it would be really cool if e.g. no unlocked database was indicated by a different error code from no entry found errors, such that the script can take proper action… I'm not very fluent in rust, but I think it should be really easy to implement for great value, isn't it? :)

Would be nice to be able to configure the compile time features. I.e. if added at compile time, still be able to e.g. call git-credential-keepassxc caller disable or whatever the syntax is, to disable said feature. Or to prevent the X-Y problem: What I want to do is disable the strict caller feature.

Thanks for creating and sharing this nice tool!

Hello,

I've updated to 2.7.3 and I've experience the following issue when trying to configure git-credential-keepassxc:

Oct 26 12:56:57.463 ERRO Failed to connect to Unix socket /run/user/1000/org.keepassxc.KeePassXC.BrowserServer, Caused by: Connection refused (os error 111)

It might be related to the recent change in KeePassXC issue #8030 which was merged into 2.7.2 and 2.7.3

Once I revert KeePassXC to 2.7.1 the git-credential-keepassxc is able to communicate with it.

I've found out about this nice utility while looking for a way to get KeepassXC credentials in scripts without entering master password every time (like ssh agent).

The classical way is to

$ keepassxc-cli show <db> <entry>

but it requests master password every time. More about the issue is at keepassxreboot/keepassxc#1483

Using subj like

printf "url=https://example.com\nusername=foo\n" | git-credential-keepassxc get

or

(cat << 'EOF'
url=https://example.com
username=foo
EOF
) | git-credential-keepassxc get --json | jq .

does what I need but figuring out it from README.md is not easy.

Can you pls add some docs about what stdin should be for git-credential-keepassxc get explicitely.