Authenticated Mercurial repositories are generally handled in one of two ways: HTTP authentication or SSH. Prior to Mercurial version 1.3, the best way to handle authenticated repositories so that you didn’t have to enter your password on every transaction was to use SSH with ssh-agent, or, if you were running Mac OS X, use Jonathan Wight’s hgkeychain extension, which stored HTTP passwords in the Mac OS X keychain. As of Mercurial 1.3, there’s a new way to handle authenticated HTTP repositories that I’ve just started using.

Mercurial 1.3 added official support was for storing HTTP authentication information in .hg/hgrc. The official documentation for this is in the hgrc.5 man page, but there’s also a good article on on how to set it up. The gist of it is you put something like this in your .hg/hgrc:

bb.prefix =
bb.username = {username}
bb.password = {password}

The problem with this solution is that your password is stored as plaintext. Enter mercurial_keyring, also known as the keyring extension. If you leave the password out of your hgrc, the keyring extension will prompt you for the password and store it in a system specific password database, such as the OS X keychain, Gnome Keyring, or KDE KWallet.

Earlier versions had one drawback: it stored passwords indexed on the repository’s URL. For example, if you had two repositories on BitBucket, you’d have to enter your password twice, once for each repository. This wasn’t ideal, especially when you have many repositories on BitBucket. Once I entered my BitBucket password, I shouldn’t have to enter it again.

So I forked the project and and modified it so that saved passwords are indexed on the URL prefix you setup in hgrc. Thus, all authenticated BitBucket repositories will share the same password. My patches were accepted and included in version 0.4.0 of mercurial_keychain. I’ve only been using it for a day now, but it’s been working out well so far.