What order does the keychain look up happen?

Example for google.com as an item name, I have two keychain items with the name "Foo", one in KeychainA another in keychainB.

When I run the following which password should be retrieved? Password from KeychainA or KeychainB?

Does it retrieve items from keychains by prioritizing retrieval from 'default' keychain first? Or it's sorted by the keychain name? or it prioritizes items based on date?

security find-generic-password -w -s 'google.com' -a 'Foo'

I asked because we often have certs that are duplicated across keychains and when I run the command above, the item is retrieved from a locked keychain. Which causes an OS prompt and that halts our Jenkins/CI.

Up vote post of honey9 Down vote post of honey9
748 views
Posted by
honey9
Reply
Add a Comment

Replies

To start, read On Mac Keychains. Everything I’m discussing here refers to the file-based keychain, not the data protection keychain.

The keychain APIs search for keychain items based on the keychain search list. You can access that programmatically but here I suspect that you just want to poke around at it, in which case I recommend the list-keychains subcommand of the security tool. For details, see the security man page.

I asked because we often have certs that are duplicated across keychains and when I run the command above, the item is retrieved from a locked keychain.

Are these actually duplicates? Or just certificates with similar names?

If it’s the former, why do you have duplicates? That seems… redundant.

If it’s the latter, I recommend that you switch to SHA-1 hashes. I talk about this in Creating Distribution-Signed Code for Mac.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo

  • Thanks I read the first link.

    It’s the former. I forgot to mention I’m aware or list-keychains. So this is obviously in the case that both of them are part of the search list. But often the locked item is found.

    we run into this situation because a jenkins build job may have not deleted a private/custom keychain or may have added a cert into the login keychain (which is against our instructions). And we shouldn’t be in this situation. I agree with the direction you’re guiding me.

    This was more a question to gain foundational knowledge on how keychain look ups work when identical name exists within the search filter. Helps me debug our potential Jenkins build agent problems

    honey9
Add a Comment