Keyring Extension

This extension is not distributed with Mercurial.

Author: Marcin Kasperski

Project site:


For the most up to date and more complete documentation see this description. or, equivalently (but with worse formatting) copy on PyPi

(!) If you are on Windows, we recommend you use TortoiseHg. It ships with Windows-specific keyring backends, without which the mercurial-keyring extension cannot function properly on Windows. The mercurial-keyring extension itself has been shipped with TortoiseHg since version 0.10.

1. Overview

Keyring extension uses services of the keyring library to securely save authentication passwords (HTTP/HTTPS and SMTP) using system specific password database (Gnome Keyring, KDE KWallet, OSXKeyChain, dedicated solutions for Win32 and command line).

1.1. What it does

The extension prompts for the HTTP password on the first pull/push to/from given remote repository (just like it is done by default), but saves the password (keyed by the combination of username and remote repository url) in the password database. On the next run it checks for the username in .hg/hgrc, then for suitable password in the password database, and uses those credentials if found.

Similarly, while sending emails via SMTP server which requires authorization, it prompts for the password on first use of given server, then saves it in the password database and reuses on successive runs.

In case the password turns out incorrect (either because it was invalid, or because it was changed on the server) it just prompts the user again.

2. Installation

Install the keyring library:

easy_install keyring

(or use any other method to install it from PIP). On Debian "Sid" the library can be also installed from the official archive (packages python-keyring, python-keyring-gnome and python-keyring-kwallet).

Then use one of the two options:

a) Install mercurial_keyring as a module from PyPi:

easy_install mercurial_keyring

and configure your .hgrc so:

mercurial_keyring =

b) Download, save this file anywhere on the system (preferably in hgext directory), and configure your .hgrc to enable the extension by adding following lines:

hgext.mercurial_keyring = /path/to/

3. Configuration

3.1. Password backend configuration

The most appropriate password backend should usually be picked automatically, without configuration. Still, if necessary, it can be configured using ~/keyringrc.cfg file (keyringrc.cfg in the home directory of the current user). Refer to keyring docs for more details.

3.2. Repository configuration (HTTP)

Edit repository-local .hg/hgrc and save there the remote repository path and the username, but do not save the password. For example:

myremote =

myremote.schemes = http https
myremote.prefix =
myremote.username = mekk

Simpler form with url-embedded name can also be used:

bitbucket =

Note: if both the username and password are given in .hg/hgrc, the extension will use them without using the password database. If the username is not given, extension will prompt for credentials every time, also without saving the password. So, in both cases, it is effectively reverting to the default behaviour.

3.3. Repository configuration (SMTP)

Edit either repository-local .hg/hgrc, or ~/.hgrc (the latter is usually preferable) and set there all standard email and smtp properties, including smtp username, but without smtp password. For example:

    method = smtp
    from = Joe Doe <>

    host =
    port = 587
    username =
    tls = true

Just as in case of HTTP, you must set username, but must not set password here to use the extension, in other cases it will revert to the default behaviour.

4. Usage

Configure the repository as above, then just pull and push (or email) as needed. You should be asked for the password only once (per every username+remote_repository_url combination).


KeyringExtension (last edited 2016-04-13 12:25:37 by MarcinKasperski)