GCM storing creds in the clear when cloning?

[ntset]

I followed the docs to get this setup on Linux and something is missing. This is how I installed/initialized it:

    dpkg -i gcm-linux_amd64.2.0.785.deb
    git-credential-manager-core configure
    git config --global credential.credentialStore gpg
    pass init <gpg-id>

How does GCM handle credentials in a URL such as the clone below? The token-name and token text are placed in .git/config in the clear anyway. What's weird is I did get prompted via curses pin-entry to unlock my gpg key after hitting [ENTER] so assumed GCM should at least hash the token or otherwise somehow protect it. What am I missing?

git clone https://my-test-token:[email protected]/my.username/my-repo.git

[mjcheetham]

When you include the username:password in the remote URL, Git will try to use those credentials in a Authorization: Basic base64(user:pass) header, without calling credential helpers like GCM.

I think however, Git might be calling GCM to store the credential after it's successfully used them, meaning we're sort of being asked to store something redundant - as you said, the credentials are being stored in plaintext in the .git/config file by Git.

If you're going to include credentials in the remote URL (you really shouldn't), there's no need to use GCM.