You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have been trying to understand how security works for github desktop, and I wrote a summary for myself and for posting with my github projects so others may benefit.
As I'm not sure it's correct, and I don't want to expose possible security lapses, comments or alerts to security problems would be most appreciated
Thank you
=====================
Version 11/19/2024
modified according to emailed comment on first version, with some passages pasted in.
Summary of how to do github on a pc or 'nix:
These are the author's personal notes to describe the authentication used between the browser and github desktop. This is an attempt to describe how they work and may be totally incorrect.
Github Desktop "GTD" is downloaded from github and I use it on a PC. Overview of authentication process (howto follows later):
you login to github as one more more users with a browser (ms-edge). If 2fa authentication is used, the browser takes care of that.
After that, Github Desktop uses the browser to do authentication:
When you sign in to the browser, it authorizes GitHub Desktop as a trusted client for your account. This process ensures that GitHub never directly handles your credentials outside of its secure web interface, which is a good security practice.
You will probably use more than 1 github user for various project . To switch or add logged in users on browser when in github, click on the user icon at top right and click the left-right arrow thing. Only one user is active at a time, but you don't need to do the whole login process to switch and the 2fa thing only be need done once.
An authentication token generated by the browser is stored locally in your machine. If your machine is compromised or shared, it's important to ensure that your system is secure and accounts are logged out if necessary
When using Github Desktop, 2 factor authenication should be used.
Even if someone gets your password in the coffee shop, they can't login if 2fa is used.
Using github webpage click on icon of you the user, choose "setting" with the gear, choose "password and authentication" and scroll down to "Two-factor authentication", then choose the option
"authenticator app". Webpage then shows a qr code; scan this with the app and it appears on
the app with proper repo name.
Note: another authentication is using deploy keys; this is good for scripts but only applies to a single repository so I dont use it here.
How to open repo with "Github Desktop"
File->options->Accounts->"sign into github.com"
It starts your browser with signin page. Somehow the browser manages signin. If the github user is already signed in, just click on the name. Otherwise login as follows:
You put in user/password, then it asks for the 2fa code you get from the android app.
The webpage asks if you want to authorize "github desktop". Say yes and Github Desktop then appears showing your repos.
Now you can clone a repo: file->clone repository.
You commit to the repo in 2 steps: first button "commit to main", then "push changes".
Fetching changes from the repo
If someone else (or you on another computer) modifies repo code and you want to pull or fetch changes, click the "fetch origin" button on the top.
Warning: Github Desktop does not alert you to changes you may need to pull.
Sometimes you forget to pull and when you push code, it asks you to pull. If there is file conflict a merge is done and that can get messy.
Setup user ID in Github Desktop
This determines what the github page displays as the contributor who committed to the repo, in the history listing.
It is not a github account. It is a name which stays on the particular computer, so use names like "dellLaptopA", "desktop1", "worklaptopA"...
This name is the same across all repositories, so dont use a github user.
Setup contributor name by: File->Options->Git and set the name. Then set the email. Email name must match name ie:
"desktop1@yourdomain.com" with user "desktop1". Nonexistent email is used but works ok.
If names don't match, a weird contributor name shows in the github page (I cant figure out where it came from)
This can be done by git-bash also. This way you can set different contributor names for each repository, with different owners.
To do this omit --global flag and use command in top folder where the .git folder lives.
Command modifies file <project root>/.git/config and adds user/email info with entries under [user]. The --global flag makes it modify (windows) C:\Users\userABC\.gitconfig. This file also gets modified when Github Desktop is used as above to set name.
# https://docs.github.com/en/get-started/getting-started-with-git/setting-your-username-in-git
# Git uses a username to associate commits with an identity. The Git username is not the same as your GitHub username
git config --global user.name "laptopXYX"
# for github desktop commit to use proper user.name, the email
# address must have the same name, but domain doesnt matter
git config --global user.email "laptopXYZ@yourdomain.com
You try to push in Github Desktop and is says "REPOSITORY NO LONGER EXISTS"
This happens when you login with more than one github account and GTD is logged in
as that other user. Fix: go to FILE->OPTIONS->ACCOUNT and login as the other user owning the
repo you are trying to push to**
Now open another "user in github desktop" to see how multiple users are handled.
You need to login the other github user: on github webpage click on the user icon, then click on the left/right arrow thing which means switch user. Then login, it will do
the prompts for 2fa. Sometimes its authenticator app, other accounts use a text code.
File->options->Accounts->Sign out of account (the repo will still be there then you sign back in)
File->options->Accounts->Signin to other account; it will show you webpage where you choose a logged-in user to grant access to "github desktop". If not logged in, you may need to login to the other user now, on the webpage.
Then when you open or clone repository it shows repos for the new user.
Switching back and forth is fast in GTD; the browser shows all logged-in users. The "current repositry"
thing at top works only for currently loggedin user.
To push repo changes, you must have GTD switched to the proper user or it gives "unauthorized" message or a misleading message that "repo no longer exists".
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
GitHub Community
-
Select Topic Area
Question
Body
I have been trying to understand how security works for github desktop, and I wrote a summary for myself and for posting with my github projects so others may benefit.
As I'm not sure it's correct, and I don't want to expose possible security lapses, comments or alerts to security problems would be most appreciated
Thank you
=====================
Version 11/19/2024
modified according to emailed comment on first version, with some passages pasted in.
Summary of how to do github on a pc or 'nix:
Overview of authentication process (howto follows later):
When you sign in to the browser, it authorizes GitHub Desktop as a trusted client for your account. This process ensures that GitHub never directly handles your credentials outside of its secure web interface, which is a good security practice.
When using Github Desktop, 2 factor authenication should be used.
"authenticator app". Webpage then shows a qr code; scan this with the app and it appears on
the app with proper repo name.
How to open repo with "Github Desktop"
File->options->Accounts->"sign into github.com"It starts your browser with signin page. Somehow the browser manages signin. If the github user is already signed in, just click on the name. Otherwise login as follows:
file->clone repository.Fetching changes from the repo
Setup user ID in Github Desktop
This determines what the github page displays as the contributor who committed to the repo, in the history listing.
It is not a github account. It is a name which stays on the particular computer, so use names like "dellLaptopA", "desktop1", "worklaptopA"...
This name is the same across all repositories, so dont use a github user.
Setup contributor name by:
File->Options->Gitand set the name. Then set the email.Email name must match name ie:
"desktop1@yourdomain.com" with user "desktop1". Nonexistent email is used but works ok.
If names don't match, a weird contributor name shows in the github page (I cant figure out where it came from)
This can be done by git-bash also. This way you can set different contributor names for each repository, with different owners.
To do this omit --global flag and use command in top folder where the
.gitfolder lives.Command modifies file
<project root>/.git/configand adds user/email info with entries under[user]. The --global flag makes it modify (windows)C:\Users\userABC\.gitconfig. This file also gets modified when Github Desktop is used as above to set name.You try to push in Github Desktop and is says "REPOSITORY NO LONGER EXISTS"
as that other user.
Fix: go to FILE->OPTIONS->ACCOUNT and login as the other user owning the
repo you are trying to push to**
Now open another "user in github desktop" to see how multiple users are handled.
then click on the left/right arrow thing which means switch user. Then login, it will do
the prompts for 2fa. Sometimes its authenticator app, other accounts use a text code.
File->options->Accounts->Sign out of account (the repo will still be there then you sign back in)
File->options->Accounts->Signin to other account; it will show you webpage where you choose a logged-in user to grant access to "github desktop". If not logged in, you may need to login to the other user now, on the webpage.
Then when you open or clone repository it shows repos for the new user.
Switching back and forth is fast in GTD; the browser shows all logged-in users. The "current repositry"
thing at top works only for currently loggedin user.
To push repo changes, you must have GTD switched to the proper user or it gives "unauthorized" message or a misleading message that "repo no longer exists".
Beta Was this translation helpful? Give feedback.
All reactions