macOS 10.13.6, Server.app 5.6.3 I'm using LetsEncrypt SSL certs. After updating a cert with certbot, I use openssl to export a PKCS12 file, then import that to the system keychain using "security" as follows:

# cd /etc/letsencrypt/live/www.brazoslink.net
# openssl pkcs12 -export -inkey privkey.pem -in cert.pem -certfile fullchain.pem -out letsencrypt_sslcert.p12 -passout pass:(random passkey)
# security import letsencrypt_sslcert.p12 -f pkcs12 -k /Library/Keychains/System.keychain -P (random passkey) -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd

This all works, no errors, the updated cert appears in Server Admin just as it should, and any services/websites using that cert are automatically updated to use the updated cert so I can delete the old version. All good. However, the cert that gets created in /etc/certificates contains the self-signed "ISRG Root X1" cert, which was not contained in the original LE cert. When I run the SSL cert tests at ssllabs.com, it complains, "Incorrect order, Extra certs, Contains anchor" and gives me a "B" rating. Can anyone explain what is going on here, and how I can fix it?

I have my own running daemon application that listens to a network port and executes some different commands based on the coming request. All is working fine except when trying to execute the following codesign command. sudo codesign --force --timestamp --options=runtime --entitlements --sign Where I see an error saying errSecInternalComponent. However, when I take the same command and paste it into the terminal it works. I have my application certificate installed under both login and System keychains and set to be Always Trust in settings. I tried adding --keychain option to specify the keychain path for the codesign command. Also, I made sure that both login and System keychains are unlocked during command execution. Besides, I tried adding the following key/value pair to my daemon plist file and restarting it.

SessionCreate

All of the above trials failed to fix the issue, I'm out of ideas and any help would be highly appreciated.

Unfortunately, I have lost/forgotten the password for my old iPhone backups. I understand that I cannot access any old backups without having the password to those backups, but I want to be able to create usable backups going forward. It seems as if that password is burned into the phone forever and that I cannot create a *useable* backup now or in the future without having the old password. The only useful suggestion I have found is to Reset the phone, not clearing data, which some posts suggest will lose the keychain and Wifi passwords. So if that's the only way, is there a way to separately backup the keychain and Wifi passwords? Obviously I can't rely on the normal backup system.

A certificate that we use for Wi-Fi in the office has expired, and it does not renew for some reason. I tried to delete it from the Keychain Access I get the following error: I guess that's the reason why the certificate is not being renewed. I tried the same from terminal as well. When I try to find it using its name, it finds and shows that it is not valid.

$> security find-identity  "XXXXXXXoffice"  /Users/username/Library/Keychains/login.keychain-db


Policy: X.509 Basic
  Matching identities
  1) F0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX30 "localhost" (CSSMERR_TP_CERT_EXPIRED)
  2) E9XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC9 "4ab2f0ae-76fd-4636-a899-c4e89b8386d1" (CSSMERR_TP_NOT_TRUSTED)
     2 identities found

  Valid identities only
     0 valid identities found

When I try to delete it though, I get an error, just like I get from the Keychain Access.

security delete-identity -c "XXXXXXXoffice"  /Users/username/Library/Keychains/login.keychain-db
Unable to delete certificate matching "XXXXXXXoffice"%

Any suggestions on how I can delete this keychain identity?

I added a Duo Touch ID 2fa 2 years ago when I'm on macOS 12 that don't support Chrome saving passkey to iCloud. I'm still on macOS 12 but I can use iCloud passkey in Safari. Is it possible to import Chrome passkey to iCloud / Safari manually?

I'm trying to codesign a Tauri macOS app and follow this tutorial . I need to see the identity of the certificate and put it in the tauri.conf.json. I downloaded the certificate from teh AppStore Connect and installed it in the Keychain. The KeychainAccess.app shows it clearly: But running security find-identity -v -p codesigning doesn't show it. I just downloaded the certificate to a new M1 macBook and can see that the KeychainAccess.app shows it as the attachment. So, there's a discrepancy between what security find-identity shows and what KeychainAcccess.app show. The certificate was generated on a different machine: an Intel-based macBook Pro from 2017. I don't think that matters. All this operations are done in my Apple chip MacBook Pro. Again, I don't that should matters. Any clue?

The way of deleting keychain access codes is to open the keychain access control and right click on the code and delete which worked before . But Now It doesn't and when I press delete nothing happens . How can I force delete any keychain access ? Is there a way by doing this with terminal ?

The Mail app on a MacOSX 10.15 system keeps asking for entering the mail account's password. Gmail is working, the other accounts are not. There is a keychain entry for the Gmail account. There are no keychain entries for the other email accounts. I don't know why the keychain entries are missing (it is not my Mac). But my first idea is that the missing keychain entries should be re-created. Is there a way to do this?

This is a slightly difficult issue to describe precisely but I'll do my best. About six weeks ago, my installation of Catalina (10.15.7, MacBook Pro 13" 2020 / MacBookPro16,2) started to exhibit some strange behaviour when left running overnight (or possibly: when left running unattended for several hours). Sometimes, but by no means every day, I'll return to the machine in the morning and wake the screen to see a grey lock screen (no background image) and a prompt that will often only accept my password (i.e. not Touch ID). Upon unlocking the machine I'll see a series of errors and password prompts, which seem to be stuck in a loop (or maybe there are just enough of them queued up that it seems like a loop). These messages include:

Unapproved caller. SecurityAgent may only be invoked by Apple software
---
Unrecoverable error. SecurityAgent was unable to create requested mechanism builtin:unlock-keychain.
---
accountsd wants to use the “login” keychain. Please enter the keychain password.
---
callservicesd wants to use the “login” keychain. Please enter the keychain password.
---
identityservicesd wants to use the “login” keychain. Please enter the keychain password.
---
CallHistorySyncHelper wants to use the “login” keychain. Please enter the keychain password.
---
assistantd wants to use the “login” keychain. Please enter the keychain password.
---
CommCenter wants to use the “login” keychain. Please enter the keychain password.

The system will give the appearance of being usable but isn't really. Symptoms include: * Finder and Dock repeatedly restarting * Generally unable to interact with menubar, e.g. to shut down * Inconsistent ability to tab between apps and interact with or quit them * Unable to start new apps from Dock or menubar shortcuts (icons just bounce for a while) So far I have never been able to cleanly shut down the machine in this state and have had to power it off using the Touch ID / power button. When booting back up, everything seems fine except sometimes Touch ID preferences have been reset (i.e. I have to enrol my finger again) and on one occasion my saved Bluetooth devices, except for mouse and keyboard, were deleted. For what it's worth, it does seem that if I "catch" the problem quickly enough, e.g. returning to the machine late at night, the damage is more limited and Touch ID is not always reset, however the other issues remain. I have also tried putting the machine into standby overnight by closing the lid, rather than leaving it running, but at least once the issue has still occurred (presumably the machine is waking up at some point overnight to do something). I'm a bit stumped as to how to diagnose this. My hunch is that it's something to do with the system somehow losing access to Keychain – based on mentions in the error messages above. I did have iCloud Keychain enabled previously, but disabled it a couple of weeks ago, and the issue has happened at least once since then. An answer to [another question](https://apple.stackexchange.com/questions/245309/how-to-fix-corrupt-keychain-permissions) mentions Keychain permissions – these are mine, in case they're relevant:

# /Library/Keychains:
0 drwxr-xr-x   9 root  wheel             288B  9 Feb 08:07 Keychains

# /Library/Keychains/System.keychain
248 -rw-r--r--  1 root  wheel   120K  7 Jan 13:16 /Library/Keychains/System.keychain

# ~/Library/Keychains/ [with redactions]
total 928
  0 drwx--x--x   7 james  staff   224B 14 Feb 10:07 .
  0 drwx------@ 85 james  staff   2.7K 10 Feb 12:22 ..
  0 -r--r--r--   1 james  staff     0B  7 Dec  2020 .XXXXXXXXXX
  0 -r--------   1 james  staff     0B  7 Dec  2020 .XXXXXXXXXX
  0 drwx------  11 james  staff   352B 14 Feb 09:06 XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
880 -rw-r--r--@  1 james  staff   439K 14 Feb 10:07 login.keychain-db
 48 -rw-------   1 james  staff    23K 14 Feb 09:41 metadata.keychain-db

Any light that anyone might be able to shed on this would be much appreciated! I have a TODO list item to upgrade to Big Sur, at which stage this might become moot, but until then I would really like to understand it better and avoid having to do these forced-shutdowns every now and then. Thanks for reading and if I can provide any more info or data please ask.

TLDR: How can I find make security set-key-partition-list run against a single entry, rather than everything in the keystore? --- I was facing issues with a cipher mismatch with an dotnet/aspnet app and a self signed cert: Eventually I found [this github issue](https://github.com/dotnet/runtime/issues/27132#issuecomment-553048843) , which led me to

log stream --process

Giving:

securityd: [com.apple.securityd:integrity] failure extending partition
 securityd: [com.apple.securityd:security_exception] MacOS error: 32
 securityd: [com.apple.securityd:clientid] code requirement check failed (-67050), client is not Apple-signed
 securityd: [com.apple.securityd:integrity] ACL partition mismatch: client teamid:UBF8T346G9 ACL ("cdhash:71c6a2e36e9b3aa01232049c467ebbad51311b9")

Searching from there gave me [this SO question(!)](https://stackoverflow.com/q/64017267/16505654) , which suggested

sudo security set-key-partition-list -D localhost -S unsigned:,teamid:UBF8T346G9 $(security login-keychain)

And voila, this worked - I can now use this certificate to run the app locally. But, that command ran against ~2489 entries, rather than the 1 that I expected. **So**, how can I find make security set-key-partition-list run against a single entry, rather than everything in the keystore? It seems that security find-key has completely different args that don't seem to match - I either get no results, or ~2489 results. I've even got to the point of spelunking through [the source code](https://opensource.apple.com/source/Security/Security-59306.61.1/SecurityTool/macOS/keychain_find.c.auto.html) to try and figure this out, but I didn't get very far.

Several months ago I switched to a new laptop with Catalina on it. On this machine the passwords for sites that used to be stored in the browser are no longer being offered. I have to type them in every time. Some sites do work properly as far as remembering cookies/logins - e.g. _zillow.com_ - more of them do not. Examples of the latter include _utexas.edu_ and for _chase.com_. I use _Chase_ frequently and can see it in Google Password Manager: But I have to enter the password *every time* _anyways_ The keychain does seem to be working: I can see plenty of entries in it. Here is recent history: Also: **Offer to save passwords** is enabled: Note that passwords *are* filled in /remembered for Safari So why are passwords not being populated on Chrome? I am on macOS Catalina with latest chrome Version 84.0.4147.135 **Update** Based on comment from @JBallin > Go to your chrome settings. Under"Site Settings" - "Cookies" - you see an "Allow" button. Click on the "add" and then add: accounts.google.com (source) – JBallin 3 hours ago I was looking for how to "allow" _accounts.google.com_ . I do not see an "allow" button Update again: now I foudn this under Cookies and other site data - and added _accounts.google.com_ (i had previously added 2 sites that are still not working):

I was wondering if there's any difference between adding trusted certificate from commandline :

security add-trusted-cert -d -r trustRoot ~/c1.cer

and opening the certificate in the keychain UI an mark it as "always trust". I've got an application that fail on server certificate validation when I mark the server's published certificates as valid from GUI but passes when I do the same from commandline.

I need one of the root CA certificates, as a filename, to pass to a command-line program. I could download it from DigiCert (and convert it to the required format, .crt) manually, but I figure it's easier to just use the CA that OS X must already have. It's a common certificate, and all my Linux servers already have it, for example. In the "Keychain Access" app, the correct certificate does exist, but I can't find anything that says where it lives. Do these CAs exist in the filesystem, or only in an opaque proprietary format for OS X APIs?

How can I sync passwords between Chrome and iCloud Keychain, i.e. import passwords stored by Chrome on a Windows desktop computer to the iCloud keychain in order to be used on an iPhone?

I installed an app that stores a persistent identifier in the iOS keychain, even after uninstalling and reinstalling it. This really bugs me. Is there a way to delete said app's data from the Keychain, or worst-case resetting the entire iOS Keychain, without resetting the device completely? **Note**: I'm not talking about the iCloud Keychain, but the on-device keychain that apps can store small bits of data in.

I am using BigSur for the first time today, after unboxing a new iMac M1. I migrated all my stuff from an old iMac with Catalina, to this one, using a time machine backup. The new machine is working well but everything related to passwords is a mess. I have been using macOS for 15 years. I have billions of passwords for websites on keychain. Now, on this new machine, when I visit a site that requires username/password, the field username appears filled but when I click on the password field, I am offered the option to unlock the passwords using touchID. This feature fails 100% of the time. If instead of using TouchID I type my mac password I see only the passwords stored inside safari, not those on Keychain. But the keychain passwords are there. Any way to make this work as before?

I have two apps both associated with the same development team, and I've gotten notifications for both of them that Your iOS Distribution Certificate will no longer be valid in 30 days. I got these notifications for the two apps on separate days. I followed the instructions on [this page](https://www.idownloadblog.com/2020/08/26/how-to-generate-new-apple-developer-distribution-certificate/) and generated a new .p12 file, and now on developer.apple.com under Certificates, Identifiers & Profiles there's a new iOS Distribution Certificate for our team. **What I Want To Know:** Do I need to take separate actions for each app, or is this all I need to do?

I want to restore the keychain library from my older Mac, which I don't have anymore. But I don't want to overwrite the existing keychain. The Time Machine interface only lets me restore files in place. One would think the "restore to..." option would let me choose where to restore them, but it doesn't and just tries to overwrite everything. I can't empty/rename the directory beforehand because the directory.

I have a problem with Jettison , that tries to remount a samba drive, that is protected by a password. It uses the following command line: /sbin/mount_smbfs //[user]@[server]/work /Volumes/work Of course it fails since the password is not present (nor the -N switch) I am aware that it should contain a password, but I do not want the app to know it. So my question is: Is there a way to request the password like this (I am aware this is not correct): /sbin/mount_smbfs //[user]: %keychain->[identified keychain]%@/work /Volumes/work

I am racking my head for an [old login password] (pass1) that is gone from my keychain but still in a Time Machine backup. The password I seek [encrypts an external drive] (pass2), which used to unlock automagically by virtue of being in the keychain so I did not memorise it. However losing (pass2) now would also mean losing a good deal of data. I still know some of the passwords in that keychain (pass3), but I have forgotten the master password (pass1). Unfortunately I have been using complex passwords for some time now and will not be able to brute force it with the likes of hashcat easily. Nevertheless, I hope to recover the old login password (pass1) by deducing what the hash and salt of the keychain is from the other known passwords (pass3). Does macOS store remnants or clear version of passwords in any locations? edit: I was quite lousy with my password and found some old passwords in Copyclip, an app that logs text copied to clipboard (security risk, yes); I also have Near Lock which I think might log some keystrokes but I am still investigating, and am wondering if there might be other somewhat common places that might have passwords stored due to poor security practices.